December 9, 2023 at 11:20AM
Researchers presented the AutoSpill attack, targeting Android password managers during the autofill process. It exploits weaknesses in WebView controls, potentially leaking account credentials to the invoking app. Multiple password managers were found susceptible, with vendors taking steps to address the issue. The attack highlights the need for improved security measures in autofill processes.
Based on the meeting notes, here are the key takeaways:
1. Security researchers from IIIT Hyderabad presented a new attack named AutoSpill at the Black Hat Europe security conference. They found that most password managers for Android are vulnerable to the AutoSpill attack, even without JavaScript injection.
2. AutoSpill exploits weaknesses in the autofill process on Android. It allows a rogue app serving a login form to capture user credentials without leaving any indication of compromise.
3. The identified vulnerable password managers on Android 10, 11, and 12 include 1Password, LastPass, Enpass, Keeper, and Keepass2Android.
4. Google Smart Lock and DashLane follow a different technical approach for autofill and did not leak sensitive data to the host app unless JavaScript injection was used.
5. Software vendors and Android’s security team were informed of the findings, and proposals for addressing the problem were shared. 1Password has identified a fix for AutoSpill and is working on it. LastPass had a mitigation in place and added more informative wording in their pop-up warning. Keeper has safeguards in place to protect users against automatically filling credentials into an untrusted application.
6. Google recommended that third-party password managers implement WebView best practices, and highlighted that they provide server-side protections for logins via WebView.
These takeaways capture the key points from the meeting notes regarding the AutoSpill attack and its impact on password managers for Android.