AutoSpill attack steals credentials from Android password managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.
In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.
Password managers on Android use the platform's WebView framework to automatically type in a user's account credentials when an app loads the login page to services like Apple, Facebook, Microsoft, or Google.
If JavaScript injections are enabled, the researchers say that all password managers on Android are vulnerable to the AutoSpill attack.
Specifically, the AutoSpill issue stems from Android's failure to enforce or to clearly define the responsibility for the secure handling of the auto-filled data, which can result in leaking it or being captured by the host app.
In an attack scenario, a rogue app serving a login form could capture the user's credentials without leaving any indication of the compromise.
The researchers tested AutoSpill against a selection of password managers on Android 10, 11, and 12 and found that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are susceptible to attacks due to using Android's autofill framework.
Through a malicious app installed on the user's device, a hacker could lead a user to unintentionally autofill their credentials.
The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android's WebView.
On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website.
On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.
Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store.
Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.
WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps.
We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement.
Roid provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app.
When using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field.
Google Play adds security audit badges for Android VPN apps.
Avast confirms it tagged Google app as malware on Android phones.
FjordPhantom Android malware uses virtualization to evade detection.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 09 Dec 2023 16:20:07 +0000


Cyber News related to AutoSpill attack steals credentials from Android password managers

AutoSpill attack steals credentials from Android password managers - Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International ...
11 months ago Bleepingcomputer.com
Open Source Password Managers: Overview, Pros & Cons - There are many proprietary password managers on the market for those who want an out-of-the box solution, and then there are open source password managers for those wanting a more customizable option. In this article, we explain how open source ...
8 months ago Techrepublic.com
6 Best Enterprise Password Managers for 2024 Rated - Password managers are security tools that store, manage, and share authorization credentials safely for individual users and groups. In this article, I evaluate the top password managers and their ability to deliver and support solutions for ...
8 months ago Esecurityplanet.com
Understand the pros and cons of enterprise password managers - To counter these threats, corporate IT security teams are turning to business-grade password managers to help centralize and streamline password and credential management. A password manager is a credential vault that gives IT teams a unified digital ...
9 months ago Techtarget.com
API Roadmaps and Authentication Experiences - In the dynamic landscape of digital product development, APIs have emerged as indispensable tools that not only connect systems but also play a pivotal role in shaping product roadmaps. In this exploration, we will unravel the multifaceted impact of ...
11 months ago Feeds.dzone.com
AutoSpill attack steals passwords from password manager - Password Managers have become increasingly important to smartphone users as they provide a high level of convenience to users for filling out the information on a web page or application instead of typing out everything. There is no need for users to ...
11 months ago Cybersecuritynews.com
Securden Password Vault Review 2024: Security, Pros & Cons - Securden Password Vault is a password management solution geared towards supervising multiple accounts and sensitive login credentials. Yes, Securden Password Vault can be accessed for free. If you're looking for an enterprise-level password solution ...
9 months ago Techrepublic.com
Navigating API Governance: Best Practices for Product Managers - As the complexity of API ecosystems grows, the need for robust governance becomes paramount. In this article, we will explore in-depth the best practices for product managers in navigating API governance, ensuring secure, scalable, and compliant ...
11 months ago Feeds.dzone.com
Best Password Generators of 2024 to Secure Your Accounts - Overview of best password generators to secure online accounts. We have various password generators to help us protect our accounts and practical barriers to protect our sensitive information. We have compiled this list of the best password ...
6 months ago Cyberdefensemagazine.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
10 months ago Bleepingcomputer.com
Password Advice for the Rest of Us - Cisco Blogs - The key function you’re wanting out of a password manager is the ability to create passwords that are at least twenty (20) characters long, with all the typical mix of letters, numbers and symbols, as well as the ability to create a unique password ...
2 months ago Feedpress.me
Top 6 LastPass Alternatives for 2024 - LastPass is a popular choice for managing passwords and sensitive information for individuals and businesses. While the tool still enjoys global patronage, it's not a bad idea to consider other password managers that can serve as worthy alternatives ...
10 months ago Techrepublic.com
KeePass disputes report of flaw that could exfiltrate a database - Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the ...
1 year ago Packetstormsecurity.com
Google Search bug shows blank page in Firefox for Android - Users of the Firefox browser for Android have been reporting that they are seeing a blank page when trying to load the main Google Search site. A report of the issue on GitHub confirms that the problem is reproducible on Firefox Mobile 121.0 for ...
10 months ago Bleepingcomputer.com
Google tests blocking side-loaded Android apps with risky permissions - Google has launched a new pilot program to fight financial fraud by blocking the sideloading of Android APK files that request access to risky permissions. An APK is a file format used to distribute Android apps for installation in the operating ...
9 months ago Bleepingcomputer.com
How to Share a Wi-Fi Password: A Step-by-Step Guide - You can unsubscribe at any ...
2 months ago Techrepublic.com
Bitwarden adds passkey support to log into web password vaults - The open-source Bitwarden password manager has announced that all users can now log into their web vaults using a passkey instead of the standard username and password pairs. Passkeys are the more secure alternative to the passwords that most people ...
10 months ago Bleepingcomputer.com
361 million stolen accounts leaked on Telegram added to HIBP - A massive trove of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches was added to the Have I Been Pwned data breach notification service, allowing anyone to check ...
5 months ago Bleepingcomputer.com
Protect your Active Directory from these Password-based Vulnerabilities - Deploying a security solution like Specops Password Policy enhances the protection of passwords, which are frequently exploited as an initial entry point by attackers. In this attack, the perpetrator, typically using a compromised low-level account ...
11 months ago Bleepingcomputer.com
What Is Android System WebView and Should You Uninstall It? | Definition from TechTarget - Android developers use WebView when they want to display webpages or Hypertext Markup Language content in a Google app or other application. Android System WebView is a system component for the Android operating system (OS) that enables Android apps ...
2 months ago Techtarget.com
Google shares fix for Pixel phones hit by bad system update - Google has shared a temporary fix for owners of Google Pixel devices that were rendered unusable after installing the January 2024 Google Play system update. As previously reported by BleepingComputer, after the January 2024 Google Play system ...
10 months ago Bleepingcomputer.com
BazarCall attacks abuse Google Forms to legitimize phishing emails - A new wave of BazarCall attacks uses Google Forms to generate and send payment receipts to victims, attempting to make the phishing attempt appear more legitimate. BazarCall, first documented in 2021, is a phishing attack utilizing an email ...
11 months ago Bleepingcomputer.com
eSecurity Planet - Dashlane is a password management software that's popular for business and personal uses alike. Like many other password managers, Dashlane makes it easy for users to create new passwords and store existing ones in a secure vault. Internet security ...
10 months ago Esecurityplanet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)