"Security Alert: Mobile Password Managers May Compromise Your Credentials"
Researchers at IIIT Hyderabad have discovered a vulnerability in the autofill functionality of Android apps, dubbed "AutoSpill," which can expose user credentials from popular mobile password managers. When an Android app loads a login page in WebView, password managers can mistakenly expose credentials to the underlying app's native fields instead of autofilling them into the intended login page. This vulnerability poses significant risks, especially if the base app is malicious, as it can automatically access sensitive information. The researchers tested popular password managers, including 1Password, LastPass, Keeper, and Enpass, and found that most were vulnerable to credential leakage. The researchers have alerted Google and the affected password managers to the flaw and are exploring the possibility of extracting credentials from the app to WebView.