Security researchers created a brand-new exploit to steal Android account credentials while auto-filling, which they called AutoSpill Attack.
How AutoSpill functions
Android apps frequently render web content, like login pages, within the app using WebView controls rather than sending users to the main browser, which would be more difficult on devices with small screens.
Android password managers automatically enter a user’s account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView framework of the platform.
The root cause of the AutoSpill problem is Android’s inability to specify or enforce who is responsible for handling auto-filled data securely, which can lead to data leakage or capture by the host app.
Under certain circumstances, a malicious application displaying a login form may be able to obtain the user’s credentials covertly and without leaving any trace of the breach. The researchers’ presentation slides from Black Hat Europe provide more technical information about the AutoSpill attack.
This document, which includes slides from the BlackHat presentation, has more information about the AutoSpill attack.
Effect and repair
Using Android’s autofill framework, the researchers tested AutoSpill against several password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 188.8.131.5219, Enpass 184.108.40.2066, Keeper 220.127.116.118, and Keepass2Android 1.09c-r0 are vulnerable to attacks.
The researchers shared their recommendations for fixing the issue along with their findings with the security team of Android and the affected software vendors. Their report was accepted as valid, but no information regarding the plans for fixing it was disclosed.
Keeper has security measures to prevent users from inadvertently entering login credentials into an untrusted application or website that they haven’t specifically authorized. When a user tries to autofill credentials into an Android application or website, Keeper on the Android platform prompts them. Before entering any information, the user is prompted to verify that the application is linked to the Keeper password record. Since this information relates specifically to the Android platform, we advised the researcher to submit his report to Google on June 29. We also shared this information with him.
Generally speaking, a malicious Android application would have to be submitted to the Google Play Store, reviewed by Google, and then authorized for release. After that, the user would have to download and run the malicious app from Google Play to use it. Alternatively, sideloading a malicious application would require the user to override crucial security settings on their device.
Keeper consistently advises users to exercise caution and diligence when selecting apps and to install published Android apps only from reputable app stores like the Google Play Store. – Craig Lurey, Keeper Security’s CTO and co-founder
Among the many ways that Android developers use WebView is to host login pages for their services within their apps. The way password managers use the autofill APIs to interact with WebViews is the source of this problem.
In addition to our WebView best practices, which we advise all password managers to follow, we advise third-party password managers to exercise caution when entering passwords. Android gives password managers the necessary context to determine whether a WebView is being loaded independently of the hosting app and to differentiate between native views and WebViews.
Users are alerted, for instance, if they enter a password for a domain that Google determines may not be owned by the hosting app when using Google Password Manager for autofill on Android; the password is only entered in the correct field. Google uses server-side security measures for WebView logins. – A Google representative
Passwords are Taken From Password Managers by AutoSpill Attack
“AutoSpill,” a novel attack created by researchers, targets several well-known Android password managers.
The vulnerability, which was highlighted at the Black Hat Europe conference last week, raises serious security concerns for Android users by possibly allowing malicious apps to steal user credentials during the autofill process.
Filling out online forms with third-party authentication renders Android’s auto-fill feature insecure. Applications can use internal or external password managers to fill out login forms by using the autofill service.
This specific method of stealing credentials is present in the Webview controls that Android offers for applications. Android webview controls allow apps to render their webview rather than launch the primary browser, providing users with a seamless experience.
Additionally, Webview enables applications to have a built-in browser-like process that can be used to log into other websites or applications via the OAuth protocol, including Microsoft, Google, and other login services.
The autofill service attempts to fill in the password manager’s data using the “Autofill” service since these apps can offer third-party authentication within the webview.
Instead of having secure authentication within the Webview, it has been found that this service is leaking the credentials to the applications.
Put differently, when a user opens an application through webview and tries to log in using “Login with Google, Microsoft,” etc., the application displays an authentication page and requests that the user use the keyboard to “Autofill” the required information.
During this process, the webview-enabling application receives access to the autofill credentials that are stored within Android Password Managers. This technique allows threat actors to obtain credentials without the need for phishing or any other type of malicious code.
This study was presented at the 2023 BlackHat Europe. After the vendors were informed of the attack, patches were released for the impacted versions.