How worried should we be about the “AutoSpill” credential leak in Android password managers?

By now, you’ve probably heard about a vulnerability named AutoSpill, which can leak credentials from any of the seven leading password managers for Android. The threat it poses is real, but it’s also more limited and easier to contain than much of the coverage to date has recognized.

This FAQ dives into the many nuances that make AutoSpill hard for most people (yours truly included) to understand. This post wouldn’t have been possible without invaluable assistance from Alesandro Ortiz, a researcher who discovered a similar vulnerability in Chrome in 2020.

Q: What is AutoSpill?

A: While much of the press coverage of AutoSpill has described it as an attack, it’s more helpful to view it as a set of unsafe behaviors that occur inside the Android operating system when a credential stored in a password manager is autofilled into an app installed on the device. This unsafe behavior exposes the credentials being autofilled to the third-party app, which can be just about any kind of app as long as it accepts credentials for logging the user into an account.

Password managers affected in one way or another include Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper. Other password managers may also be affected since the researchers who identified AutoSpill limited their query to these seven titles.

AutoSpill was identified by researchers Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava of the International Institute of Information Technology at Hyderabad in India. They presented their findings last week at the Black Hat security conference in London.

Q: If the third-party app allows or requires a user to log into an account, why is it a problem for the password to be autofilled from a password manager?

A: It’s only a problem in certain scenarios. One is when the third-party app allows users to log in to one account using credentials for a different account. For instance, hundreds of apps and sites use a standard known as OAuth to offer users the convenience of logging in to their accounts by using the credentials for their accounts on sites such as Google, Facebook, or Apple. A chief selling point of these arrangements, known as access delegation, is that the third-party app or service never sees the credentials. AutoSpill has the potential to violate this fundamental guarantee.

Another way a malicious app could exploit AutoSpill would be by loading WebView content from a site of a bank or another service the user has an account with. When the malicious app loads the login page of the trusted site, the user will be prompted to select credentials. If the user approves the autofill prompt, the credentials will be populated not only into the WebView portion of the malicious app but also the app’s native view (more about the difference between WebView and native view properties in a moment). And depending on the password manager in use, this flow may occur without any warning.

It’s hard to envision a realistic pretense the malicious app could use to trick a user into logging in to a third-party account not managed by the app developer, and the AutoSpill researchers didn’t offer any. One possibility might be a malicious version of an app that transfers song playlists from one music service to another. Legitimate apps, such as FreeYourMusic or Soundiiz, provide a valuable service by analyzing a playlist stored in the account of one service, such as Apple Music, and then creating an identical playlist for an account on a different service, such as Tidal. To work as desired, these apps require the credentials of both accounts.

Another way a malicious app might exploit AutoSpill is by injecting JavaScript into the WebView content that copies the credentials and sends them to the attacker. These types of attacks have been previously known and work in settings that go well beyond those presented by AutoSpill.

What hasn’t been clear from some of the coverage of AutoSpill is that it poses a threat only in these limited scenarios, and even then, it exposes only a single login credential, specifically the one being autofilled. AutoSpill doesn’t pose a threat when a password manager autofills a password for an account managed by the developer or service responsible for the third-party app—for instance, when autofilling Gmail credentials into Google’s official Gmail app, or Facebook credentials into Facebook’s official Android app.