Popular Android Password Managers Vulnerable to AutoSpill Flaw

A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, known as AutoSpill, was discovered by university researchers at the IIIT Hyderabad, who presented their findings at Black Hat Europe. The researchers found that when an Android app loads a login page in WebView, the pre-installed engine from Google, password managers can expose users’ saved credentials to the underlying app’s native fields. This vulnerability poses significant risks, as any malicious app that prompts users to log in via another site can automatically access sensitive information. The researchers tested popular password managers, including 1Password, LastPass, Keeper, and Enpass, and found that most apps were vulnerable to credential leakage. They have alerted Google and the affected password managers to the flaw and are currently exploring the possibility of extracting credentials from the app to WebView. It is unclear whether the vulnerability can be replicated on iOS.