Password managers vulnerable to "AutoSpill" flaw in Android

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
12,894
Popular password managers leaking credentials in Android apps

Several popular password managers have been leaking user credentials due to a vulnerability in the autofill function of Android apps, TechCrunch reports.

Researchers at IIIT Hyderabad discovered the vulnerability — dubbed "AutoSpill" — and found that it can expose saved passwords by bypassing Android's autofill functionality.
 
I personally use SafeInCloud. One thing worth mentioning is that in order for the app to detect fields, you need to whitelist the application or website for each individual entry. It doesn't just automatically push the credentials.

Enpass should be the same... though I see it named in the article.
 
Sorry but not sorry... not shocked that third party apps would be vulnerable, but does beg the question of Google's built-in password manager also, can't we authenticate using biometrics? and lastly what about when you use the Google authenticator app?
 
Sorry but not sorry... not shocked that third party apps would be vulnerable, but does beg the question of Google's built-in password manager also, can't we authenticate using biometrics? and lastly what about when you use the Google authenticator app?
In theory, it is also vulnerable, since the vulnerability is not with the password manager, but the ways that autofill is handled by the OS. Your passwords are secure and behind biometrics, true, until it passes the info in plaintext to a malicious page request it.
 
Back
Top