At its most basic, the term “auto fill” refers to a feature or set of features that enables users to insert previously entered information into web pages. Depending on the specific application being used, this can be any sort of information like names and address, moving all the way up to information that needs more protection such as credit card numbers and username/password combinations.
On Android devices, it is often the case that an application will display a login form by using what’s called a WebView control, which is essentially a feature within Android to display web content to a user without forcing them to open a separate application. A couple of common instances where WebView controls are used are when a user clicks a link in an email, or when a user logs in to a service using the “Login with…” feature. In either of these cases, web content is shown to the user without the need for changing applications.
An auto fill framework has been a part of Android systems since Android version 8.0. This framework is made up of three components, the first of which being the Android system itself, which is what defines the workflow and provides the infrastructure for the clients and services to work together. Services are apps like password managers, which save and store data, while clients are apps that provide views that need to be filled out.
Looking forward to the problem we’ll be discussing, it is worth noting here that researchers have already been discussing the potential issues with auto fill functionality on mobile devices. During a mobile password manager evaluation in 2021, researchers at the University of Tennessee noted that many of the password managers seemed to not properly establish a secure credential-to-destination mapping. What this means is that at the time, the password managers used may not have been preventing other webpages or apps from accessing the auto fill credentials en route to their destination.
The AutoSpill attack was introduced by a team of researchers at the recent Black Hat conference in Europe. The primary target of this type of attack is credentials being accessed during an autofill operation. Credentials can be leaked due to the fact that credentials are supplied to both the native client requesting the credentials and the WebView component needed to display the login form. To exploit this scenario, an app would need to be developed specifically for this purpose. Javascript injection can also be used on the WebView component for the sake of copying credentials, but it is worth mentioning here that Javascript credential stealing attacks are not specific to AutoSpill.
As we hinted at a moment ago, the main issue that AutoSpill stems from is a lack of clearly defined responsibilities in how credentials are handled between the autofill systems, clients, and services. In other words, the proposal of the AutoSpill problem is that under the right circumstances, credentials could be leaked to or intercepted by rogue apps.
(Source: Black Hat)
In a general sense, the seriousness of the AutoSpill problem and its potential impacts have been brought into question, as some suggest that leveraging the flaw would be much more difficult than the initial research suggests. AutoSpill is also described by some less as an attack and more of a set of unsafe behaviors on behalf of the Android system. Ultimately, while novel and interesting, AutoSpill can only be a problem in certain scenarios. An easy path for an AutoSpill attack to occur would likely involve an untrusted app, which would either have to bypass Google’s malware scanning or be side-loaded on to the device manually by the user.
In testing, many of the password managers available on Android were used. We can see them all listed in the table below. Google and Dashlane password managers implement different approaches than what is required for AutoSpill so they did not leak any credentials. The remaining managers did leak credentials to varying degrees under ideal circumstances.
(Source: Black Hat)
Using javascript injection does improve the likelihood of being able to steal credentials, but as mentioned previously, that kind of attack has been around since before AutoSpill.
Most of the vendors responsible for the password managers listed have either created patches for the vulnerability or made comments on the situation. Specifically, 1Password and Enpass have made comments regarding updating the logic their password manager, and Dashlane and LastPass already had related mitigations in place.
In summary, autofill is a feature included in most, if not all, password managers for quickly entering credentials into login forms. This feature can also extend to other information like names and addresses. On Android devices, applications can use WebView controls to display web information like a login form. The client application can then make a request to the Android autofill framework, which then reciprocates the communication with both the WebView component and the client application for filling in the credentials.
AutoSpill, on the other hand, is a type of credential stealing attack introduced by a set of researchers at a recent Black Hat conference. The idea behind the process is that an application with malicious intent could take advantage of the confusion with how native apps and WebView controls are both given access to credentials to steal them. While this is certainly a situation worth looking into, it must be noted that a successful attack would require a very particular set of circumstances. Due to the unlikely probability of an AutoSpill attack occurring, the overall potential impact of this problem is not seen as very high.
Finally, we went over a list of password managers tested for vulnerability to AutoSpill. Both Google and Dashlane performed well, and while researchers were able to leak credentials from the other managers, either specific fixes for this problem or related mitigations have already been put into place by most of them.
[3]: https://developer.android.com/guide/topics/text/autofill
[4]: https://dl.acm.org/doi/fullHtml/10.1145/3485832.3485884
[6]: https://cybersecuritynews.com/autospill-attack-steals-passwords/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments