autofill function of Android-based apps. This flaw, named AutoSpill, exposes login credentials to apps hosting web pages, potentially enabling malicious attacks.
The vulnerability arises when users try to log into an app on an Android Operating System (OS), as the OS acts as an intermediary between the apps and generates an autofill request to password managers (PMs).
The disorientation between the PMs and the mobile OS can lead to the sensitive information being accessed by the app loading the web page.
This issue is particularly concerning as an estimated 92.3% of internet users access the internet via mobile devices. For example, when logging into a music app using the 'login via Google or Facebook' option, the autofill feature may inadvertently expose the credentials to the music app.
This vulnerability could have significant consequences if the base app is malicious.
The researchers' paper, titled 'AutoSpill: Credential Leakage from Mobile Password Managers,' has already received the best paper award at the ACM Conference on Data and Application Security and Privacy (CODASPY) 2023. They will present their findings at the prestigious information security event, BlackHat Europe 2023, in December.
The team tested their AutoSpill attack on top-ranked password managers using various Android devices and found that most of the PMs were susceptible to credential leakage even with JavaScript injection disabled. When JavaScript injection was enabled, all the tested PMs were vulnerable to an AutoSpill attack. The researchers have informed Google and the password managers about these vulnerabilities, and they have acknowledged the security breach.