Explore a novel attack called AutoSpill that compromises Android's secure autofill process to steal user credentials from mobile password managers. Learn how this vulnerability affects the majority of top Android password managers, even without JavaScript injections, and becomes universally exploitable when JavaScript injections are enabled. Discover the fundamental reasons behind AutoSpill and examine proposed systematic countermeasures to address this security issue. Gain insights into the responsible disclosure process undertaken with affected password managers and the Android security team, including the acknowledgment of the issue by various password managers and Google.
AutoSpill - Zero Effort Credential Stealing from Mobile Password Managers
Overview
Syllabus
AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers
Taught by
Black Hat
Related Courses
-
Extracting Secrets from Locked Password Managers
-
Beyond Credential Stuffing - Password Similarity Models Using Neural Networks
-
Mining and Exploiting Mobile Payment Credential Leaks in the Wild
-
Broken Isolation: Draining Credentials from Popular macOS Password Managers
-
Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers
-
Common Observations from a Security Assessor
