Key Highlights:

1. A vulnerability in Android apps' autofill functionality called "AutoSpill" is exposing user credentials from popular mobile password managers.

2. Android apps like 1Password, LastPass, Keeper, and Enpass were tested and found to be vulnerable to credential leakage.

3. AutoSpill can allow a malicious app to access sensitive information without phishing, posing significant risks to Android users.

4. The vulnerability occurs when a password manager mistakenly exposes credentials to the underlying app's native fields, even when JavaScript injection is disabled.

5. Researchers have alerted Google and the affected password managers about the flaw and are working on fixes.

6. Google recommends that third-party password managers implement WebView best practices to prevent credential exposure.

7. 1Password and LastPass are working on fixes to address the vulnerability.

8. Keeper claims to have safeguards in place to protect users against automatically filling credentials into untrusted applications.

9. Enpass did not respond to inquiries about the vulnerability.

10. The researchers are exploring the possibility of an attacker extracting credentials from the app to WebView and investigating if the vulnerability can be replicated on iOS.

Signing off 

Balaji Murapaka 

@Balajibalu_techie 

Tech Researcher | Photographer 

@iQOO Connect @Parakram Hazarika @TechSAM009

@Aojesh @NITIN @Naveen Yerradla @Lakshay       

Do Follow for more tech content

Day 25/30 Days Tech content challenge

You may also like/Suggestions:

Tech News 24 

Tech News 23

Gmail New Feature thread