Several mobile password managers compromised by AutoSpill vulnerability on Android apps, a vulnerability discovered by researchers at Black Hat Europe 2023. When Android calls a login page via WebView, a credential-stealing flaw emerges, allowing shared credentials to be leaked to the app that requested the login information. Affected password managers include 1Password, LastPass, Enpass, Keeper, and Keepass2Android, along with DashLane and Google Smart Lock if credentials were shared via JavaScript injection. The vulnerability impacts WebView, regardless of the presence of phishing or malicious in-app code. Testing on older devices and Android versions reveals that the flaw may affect outdated hardware and software. However, it emphasizes the importance of keeping Android OS and installed apps up-to-date for overall security. Users should routinely check for OS and app updates to ensure their devices are secure.
Data Leakage: The Vulnerability of Six Top Android Password Managers
