AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers

...We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. …

android app attack autofill autospill call credential credentials credential stealing found login managers mobile novel page password password managers process steal stealing vulnerable