A recent study by IIIT hyderabad researchers at Black Hat Europe Security Conference reveals that most of the android password managers like 1Password, lastpass and Keeper are found to be vulnerable to Autospill hacking attacks. They discovered a new flaw in these password managers.

Through this attack different malicious apps can steal your credentials during the autofill process when you try to sign into a particular website. 

The IIIT hyderabad researchers Ankit Gangwal, Shubham Singh and Abhijeet Srivastava claimed this autospill hacking attack in various password managers on android 10, 11, 12 devices. They found that following password managers were found to be vulnerable

1Password

Lastpass

Enpass

Keeper

Keepass2Android

However, two password managers like Google Smart Lock and DashLane use different mechanisms for auto filling the user login credentials. They did not leak the personal data of users when javascript injection was used.

Different apps use a webview framework to show web content within the app.This framework allows users to quickly log in their credentials without redirection to the main browser. For example when a user tries to log into any app on his own mobile device and use the option of Google or Facebook. That app opens up the facebook or google login page.

When android password managers are used to autofill the user login data. They autofill the user credentials into google or facebook pages.But according to the IIIT hyderabad researchers these password managers actually reveal the user data to malicious apps.

The three researchers said that if javascript injection is enabled, these password managers are more vulnerable to attack.

The main causes of this hack lies in android’s lack of clear guidelines regarding the automatically filling of user credentials allowing dangerous apps to steal user data without informing the users. 

The Study of the report by IIIT hyderabad researchers is shared with the android security team and this study is acknowledged by Google and various password managers as valid. Abhishek Gangwal has notified Google and other password managers about this autospill attack. He said that, even without phishing, these harmful apps can steal your personal information while entering login details to another website via google or facebook.

Various password managers are working to correct this flaw. The IIIT team is also conducting study on IOS devices to verify the autospill attack.Mobile users need to be careful while trying to sign in to any website via google or facebook.