Newly Developed Attack AutoSpill Steals Android's Users' Account Credentials

Security researchers have introduced a new attack named AutoSpill to pilfer Android account credentials during autofill operations. Tests by the International Institute of Information Technology (IIIT) revealed the vulnerability of most Android password managers to AutoSpill, even without JavaScript injection. In a Black Hat Europe presentation, IIIT researchers highlighted the susceptibility of Android password managers to AutoSpill. Despite the absence of JavaScript injection, their tests exposed vulnerabilities in these managers. Android apps commonly employ WebView controls for rendering web content, including login pages within the app, offering a more user-friendly experience on small screens. Password managers on Android leverage the WebView framework to automatically input user account credentials when an app loads login pages for services like Apple, Facebook, Microsoft, or Google. Read more...