Languagesx
English Deutsch
Subscribe
Home Many password managers vulnerable to AutoSpill attack on Android

Many password managers vulnerable to AutoSpill attack on Android

A team of researchers has uncovered a new vulnerability, dubbed “AutoSpill,” affecting several popular password managers on Android devices, according to a recent TechCrunch report. The vulnerability allows malicious apps to access users’ sensitive login credentials stored in password managers through exploiting the autofill function in Android’s WebView component.

According to Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava from IIIT Hyderabad in India, the vulnerability works by tricking password managers into auto-filling credentials into an app’s native text fields when the app shows a login page through a WebView instead of launching an external web browser.

“Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” explained Gangwal.

The researchers tested AutoSpill against leading password managers like 1Password, LastPass, Keeper, and Enpass on fully updated Android devices. They found most apps vulnerable even with JavaScript injection protections enabled. With JavaScript enabled, all tested password managers were susceptible.

The implications are serious considering the popularity of password managers to store sensitive login information for various online services. If exploited, the vulnerability provides malicious apps easy access to a treasure trove of usernames and passwords.

Gangwal disclosed the findings to both Google and the affected password manager developers. 1Password has acknowledged the vulnerability and claims to have identified a fix that will land in a future update. LastPass has also put mitigations in place. Other vendors have yet to publicly comment or confirm plans to address the issue.

The researcher team says they are still investigating whether a similar attack is possible on iOS devices. For now, Android users should be cautious about entering credentials into native app text fields, even if prompted by a WebView-based login page. As always, only install apps from trusted sources like the Google Play Store.

The AutoSpill research highlights the rising challenge of securing credentials across the modern app ecosystem. As login systems increasingly transition from web to in-app embedded browser flows, vulnerabilities like this demonstrate many risks are still being uncovered.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

tags
Radek Zielinski
Tech Journalist

Radek Zielinski is an experienced technology and financial journalist with a passion for cybersecurity and futurology.

Related News

Bloodstained's Shantae skin
Bloodstained: Ritual of the Night gets new modes and cosmetics including a Shantae skin
Paul McNally
A character from Genshin Impact
Genshin Impact is getting a downgrade on PlayStation 4 and some mobile devices
Paul McNally
A new ROG Ally is set to launch
Asus teases new ROG Ally which could launch today complete with an OLED screen
Paul McNally
An AI-generated image of Yoda waving goodbye
Banned he is. Yoda booted from Fortnite after causing games to crash
Paul McNally
A leaked Fortnite image showing a new UI
Fortnite leak shows big changes coming imminently that you are going to love or hate
Paul McNally

Most Popular Tech Stories

Latest News

The overseer of Vault 63 in Fallout 76's Skyline Valley update is an electrified ghoul. Players can explore the new vault, discovering enemies as well as allies
Gaming

Fallout 76's Skyline Valley update expands the map, arrives in June
Owen Good7 hours

Fallout 76’s next update, Skyline Valley, is coming in June and will deliver a large map update, a new Vault, and a new type of enemy to confront. It’s a...

Popular TopicsArrow right.svg

AI
AI
AR / VR
AR / VR
Cryptocurrency
Cryptocurrency
Gaming
Gaming
Smartphone
Smartphone
Gambling
Gambling
Wearables
Wearables
Web
Web

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.