Password Managers, AutoSpill
Unsplash/Joshua Hoehne

Password managers have become increasingly common as an easy way to keep all your logins organized and protected. While these apps simplify it with so many accounts to sign into, they aren't perfect.

Some researchers from IIIT Hyderabad showed a new threat at a tech event last year called "AutoSpill" that can swipe passwords straight from your manager.

This discovery proves that users must be more cautious when using these apps.

'AutoSpill' Might Be A Tool for Hackers

The researchers came across something that might breach security - many Android apps were using a thing called WebView controls to put web pages right in their interfaces. They usually do this to take people to links or login spots.

Most top password managers on Android use this method to automatically fill in usernames and codes when visiting login pages for places like Apple, Facebook, or Google.

But "AutoSpill" found a way to mess with this and steal stuff. "AutoSpill" exploits the mechanism, breaching Android's secure autofill process to steal data.

The study showed holes in major Android password savers, with them still able to be gotten to by "AutoSpill" even if JavaScript stuff wasn't added and able to be brought to when that JavaScript stuff was put in.

According to another source, when logging into websites on the phone, the password protector could accidentally put your login credentials in the wrong place instead of the website. If that happens, the app can see those names and codes without going to the website's login page.

This isn't the app tricking you with fake pages, but showing the names and codes from actual pages people use. They tried this with different password protectors on Android phones, including Google Smart Lock and other ones like 1Password, Dashlane, Enpass, LastPass, Keepass2Android, and Keeper.

What are the Password Managers that are Vulnerable to 'AutoSpill'

Password managers like 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all found to have a problem where JavaScript could get in.

DashLane and Google Smart Lock were also found to be unsafe if the JavaScript thing was turned on.

No one has yet shown this being used to steal actual passwords, but the researchers said it was a big deal. They said apps pretending to be something else could take passwords without using bad code and maybe get into the app stores.

The companies making the password managers said this was not good. Keeper, LastPass, and Enpass fixed it in different ways. The top guy at Keeper said Keeper asks you when filling passwords into an Android app or website.

LastPass already had a pop-up to warn you about this and changed what it said after looking more.

Google told password managers to be careful with the autofill things in WebViews, with tips to make them safer. Enpass quickly fixed the problem in version 6.8.3 after the researchers let them know.

The people making Keepass2Android haven't said what they think about this issue yet, so they must still be looking into how it impacts their passwords.

© Copyright 2024 Mobile & Apps, All rights reserved. Do not reproduce without permission.