Automatic dumping. It is the name with which a person was baptized. new vulnerability discovered in Google ecosystem, including all Android devices. It was recently detailed at the Black Hat Europe event, and it’s no joke: it allows access to data stored by password managers.
And even though the main victims are Android users, we can never 100% rule out that this vulnerability will surprise us. Bounce. Let’s see what this new security flaw is and what we can do to strengthen ourselves from the iPhone.
Most Popular Password Managers Are Vulnerable
The name AutoSpill is based on the password autofill feature, automatic filling in English. This is precisely what all password managers do: automatically fill in the credentials of the services that need them in order to work more comfortably and (theoretically) more secure.
However, this new type of attack manages to Capture auto-filled characters from a password managerwith which you can obtain data as sensitive as passwords and credit card numbers.
Capturing is done via the WebView tool, used by managers such as LastPass, EnPass, 1Password or KeePass. They belong to the list of the most used managers on Android. The attack doesn’t even need JavaScript, and leaves no trace in front of the victim. The weak point appears when Android does not clearly define the data protection responsibilities that have been fulfilled automatically, thus opening the door to this vulnerability called AutoSpill.
How to protect ourselves against AutoSpill on our iPhone
The first thing is to remain calm: this vulnerability mainly affects the Google ecosystem and password managers on Android. However, any precautions to protect our passwords are insufficient. And even more knowing that iOS 17 can be integrated with the passwords that we save in its cloud.
One step you can take about this is to make sure you sync your passwords using iCloud Keychain and not the Google service. You can do this by following these steps:
- On your iPhone, open Settings.
- Go to “Passwords”.
- Go to “Password Options”.
- In the “Use passwords and access keys” section, turn off the “Google” option if it is present. Prioritize the “iCloud Passwords & Keychain” option if you prefer.
iCloud Keychain protect yourself with biometric measures (Face ID or Touch ID), so it is virtually impossible for someone to end up intercepting data from an iPhone if these options are configured correctly.
I have no doubt we’ll see a fix from Google and/or Android developers soon, but in the meantime the best thing to do is be careful. Especially if you use a third-party password manager with an Android phone.
In Applesfera | Three Ways to Manage Passwords on a Mac Without Having to Install Any Apps
In Applesfera | Chinese hackers have been stealing Apple Pay data from Europe’s largest chipmaker for years.
