A team of researchers has uncovered a new vulnerability, dubbed “AutoSpill,” affecting several popular password managers on Android devices, according to a recent TechCrunch report. The vulnerability allows malicious apps to access users’ sensitive login credentials stored in password managers through exploiting the autofill function in Android’s WebView component.
According to Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava from IIIT Hyderabad in India, the vulnerability works by tricking password managers into auto-filling credentials into an app’s native text fields when the app shows a login page through a WebView instead of launching an external web browser.
“Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” explained Gangwal.
The implications are serious considering the popularity of password managers to store sensitive login information for various online services. If exploited, the vulnerability provides malicious apps easy access to a treasure trove of usernames and passwords.
Gangwal disclosed the findings to both Google and the affected password manager developers. 1Password has acknowledged the vulnerability and claims to have identified a fix that will land in a future update. LastPass has also put mitigations in place. Other vendors have yet to publicly comment or confirm plans to address the issue.
The researcher team says they are still investigating whether a similar attack is possible on iOS devices. For now, Android users should be cautious about entering credentials into native app text fields, even if prompted by a WebView-based login page. As always, only install apps from trusted sources like the Google Play Store.
The AutoSpill research highlights the rising challenge of securing credentials across the modern app ecosystem. As login systems increasingly transition from web to in-app embedded browser flows, vulnerabilities like this demonstrate many risks are still being uncovered.