AutoSpill, A Lot Of News For A Small Problem

I’m Not Mad, Just Disappointed

There has been a fair amount of coverage of AutoSpill on Android devices, after all a bug which affects the major password managers including Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper is worrisome.  It has generally been described as a flaw which will pass your login information to a third party app when you use your password manager to autofill in your password.  While that is certainly not a good thing and needs to be dealt with permanently, leveraging the flaw is a lot more difficult than much of the coverage suggests.

In order to use AutoSpill you would need to be using an insecure third party app which you log into using a different account.  That may seem an odd thing to do, but it’s a quick way of describing OAuth.  For many apps you have the option to log in with Gmail, Facebook or another such account, and that is where AutoSpill could be a problem.  If you happened to download a malicious piece of software and then use one of your existing accounts to sync the new app with your existing account, then instead of sending it encoded so that the third party software can’t read the actual value AutoSpill will give that app your actual password.  This is exactly the same as what would happen if you manually entered it in.

That makes AutoSpill more of a breach of proper practices than a horrible exploit.  There is a separate scenario, where a site with a WebView version could capture your password and send it on to somewhere you don’t want it to end up using JavaScript.  Since those types of vulnerabilities are wide spread AutoSpill isn’t a unique type of attack, just another way to leverage an existing flaw.

The fix is already in, so make sure to update your Android OS, browser and password managers.