AutoSpill, A Lot Of News For A Small Problem

Source: Ars Technica AutoSpill, A Lot Of News For A Small Problem

I’m Not Mad, Just Disappointed

There has been a fair amount of coverage of AutoSpill on Android devices, after all a bug which affects the major password managers including Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper is worrisome.  It has generally been described as a flaw which will pass your login information to a third party app when you use your password manager to autofill in your password.  While that is certainly not a good thing and needs to be dealt with permanently, leveraging the flaw is a lot more difficult than much of the coverage suggests.

In order to use AutoSpill you would need to be using an insecure third party app which you log into using a different account.  That may seem an odd thing to do, but it’s a quick way of describing OAuth.  For many apps you have the option to log in with Gmail, Facebook or another such account, and that is where AutoSpill could be a problem.  If you happened to download a malicious piece of software and then use one of your existing accounts to sync the new app with your existing account, then instead of sending it encoded so that the third party software can’t read the actual value AutoSpill will give that app your actual password.  This is exactly the same as what would happen if you manually entered it in.

That makes AutoSpill more of a breach of proper practices than a horrible exploit.  There is a separate scenario, where a site with a WebView version could capture your password and send it on to somewhere you don’t want it to end up using JavaScript.  Since those types of vulnerabilities are wide spread AutoSpill isn’t a unique type of attack, just another way to leverage an existing flaw.

The fix is already in, so make sure to update your Android OS, browser and password managers.

As already indicated, the biggest threat stems from the possibility that someone could develop a third-party app that intentionally exploits the unsafe behavior. While there are no known instances of apps exploiting the AutoSpill behaviors, Android apps that use JavaScript injection to steal passwords are a semi-routine occurrence.

Video News

About The Author

Jeremy Hellstrom

Call it,, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!