We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers
Learn about AutoSpill, a zero-effort credential stealing technique that targets mobile password managers, leveraging assist structure requests without user interaction or phishing, exposing millions to risk.
- AutoSpill is a technique that allows hackers to steal credentials from mobile password managers without any user interaction or phishing.
- The attack works by sending a request to the password manager with an assist structure, which is a data set that contains information about the request, including the username and password fields.
- The password manager then parses the assist structure and returns the requested information, including the credentials.
- The attack can be executed by creating a benign application that sends the assist structure request to the password manager.
- Android operating system is vulnerable to AutoSpill, as it gives access to the assist structure to the application without verifying the authenticity of the request.
- Most popular password managers, including Google Smart Lock and Dashland, are vulnerable to AutoSpill.
- The attack is particularly dangerous because it can be executed without any user interaction or phishing, making it a zero-effort credential stealing technique.
- The researchers have found that Android operating system updates, including the latest security patch, did not fix the issue.
- The researchers have also found that some password managers did not respond to the issue, and those that did respond said they would fix it, but did not provide a timeline.
- The researchers are working on reversing the AutoSpill attack, which involves intercepting the assist structure and identifying the information exchanged during the autofill ceremony.
- The researchers suggest that password managers should not give access to the assist structure to the application without verifying the authenticity of the request.
- The researchers also suggest that Android operating system should improve its security to prevent AutoSpill attacks.
- The researchers have tested the AutoSpill attack on multiple Android devices and found that it works on all of them.
- The researchers have also found that the attack can be executed on multiple apps, including Facebook and Google apps.