Security researchers have done this with a newly developed attack Data from password managers to capture. The attack uses this Autofill feature on Android, which is why it has the appropriate name “Automatic spill“He chose for it.
As reported by Bleeping Computer, this was revealed during a presentation at the conference Black hat europeAlmost all password managers on Google’s mobile operating system are vulnerable to AutoSpill.
➤ Read more: With these password managers, you can keep your accounts under control
WebView is causing problems
Researchers benefit from this fact Web view Used to log in. instead of one In-browser redirection Website with Registration mask Open within the application. The password manager then automatically fills in your login details.
This is exactly where AutoSpill can access the data. One assumes Malicious application Loads a WebView login screen that allows you to sign in with a Google, Microsoft, Facebook, or Apple account. The host application can then use AutoSpill to record what users enter into the login form. Password managers were vulnerable Keeper, Keepass2Android, Enpass, LastPass And 1Password.
Because both Google smart lock Beside Dashlan If you choose a different way to fill out login masks, no data will be leaked. However, only if JavaScript is not turned on.
➤ Read more: Beware of this fake password manager
Solution in progress
Researchers have also developed a solution to the problem. However, this remains Secret. 1Password and LastPass explained to Bleeping Computers Security vulnerability with update Close. Keeper Security noted that this is a Google-specific issue and that users should be careful not to install any malware. There is a warning about entering sensitive information on a suspicious website.
