AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers

Security

Learn about AutoSpill, a zero-effort credential stealing technique that targets mobile password managers, leveraging assist structure requests without user interaction or phishing, exposing millions to risk.

Key takeaways
  • AutoSpill is a technique that allows hackers to steal credentials from mobile password managers without any user interaction or phishing.
  • The attack works by sending a request to the password manager with an assist structure, which is a data set that contains information about the request, including the username and password fields.
  • The password manager then parses the assist structure and returns the requested information, including the credentials.
  • The attack can be executed by creating a benign application that sends the assist structure request to the password manager.
  • Android operating system is vulnerable to AutoSpill, as it gives access to the assist structure to the application without verifying the authenticity of the request.
  • Most popular password managers, including Google Smart Lock and Dashland, are vulnerable to AutoSpill.
  • The attack is particularly dangerous because it can be executed without any user interaction or phishing, making it a zero-effort credential stealing technique.
  • The researchers have found that Android operating system updates, including the latest security patch, did not fix the issue.
  • The researchers have also found that some password managers did not respond to the issue, and those that did respond said they would fix it, but did not provide a timeline.
  • The researchers are working on reversing the AutoSpill attack, which involves intercepting the assist structure and identifying the information exchanged during the autofill ceremony.
  • The researchers suggest that password managers should not give access to the assist structure to the application without verifying the authenticity of the request.
  • The researchers also suggest that Android operating system should improve its security to prevent AutoSpill attacks.
  • The researchers have tested the AutoSpill attack on multiple Android devices and found that it works on all of them.
  • The researchers have also found that the attack can be executed on multiple apps, including Facebook and Google apps.

More talks

API World Conference: The API Economy and the Need for an API Management Hub

Frameworkless – The New Black? | Carsten Windler

Ionic y Capacitor, ¿qué puedo hacer con ellos? | Eduardo Roth | Angular Community Meetup

Applying AI to Reimagine Your Product and Your Company to Make a Quantum Leap Forward in Tough Times

Reinventing Home Directories Let's bring the UNIX concept of Home Directories into the 21st century

AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

Philipp Krenn - Open Policy Agent: security for cloud natives and everyone else

Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021