Close Menu
TechTost
  • AI
  • Apps
  • Crypto
  • Fintech
  • Hardware
  • Media & Entertainment
  • Security
  • Startups
  • Transportation
  • Venture
  • Recommended Essentials
What's Hot

If you use Google, you train its AI. See how you can opt out.

Apple is bringing back card payments for Apple Account purchases in India after a four-year hiatus

Smart glasses maker Even Realities hits $1 billion valuation with $150 million in funding led by Meituan, Tencent

Facebook X (Twitter) Instagram
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer
Facebook X (Twitter) Instagram
TechTost
Subscribe Now
  • AI

    If you use Google, you train its AI. See how you can opt out.

    6 July 2026

    Amazon will stop accepting new customers for Mechanical Turk

    6 July 2026

    Yes, we use OpenClaw to this day

    5 July 2026

    Midjourney wants Hollywood studios to reveal the details of their use of artificial intelligence

    5 July 2026

    What is Mistral AI? Everything you need to know about the OpenAI competitor

    4 July 2026
  • Apps

    Apple is bringing back card payments for Apple Account purchases in India after a four-year hiatus

    6 July 2026

    WhatsApp now allows you to reserve usernames

    5 July 2026

    Podcasting platform Riverside is getting into the newsletter game

    4 July 2026

    Threads adds new features to Live Chats as it expands access

    4 July 2026

    Travel app Hopper to pay $35 million in FTC settlement over ‘unfair’ hidden fees

    3 July 2026
  • Crypto

    Venice AI goes unicorn with $65M Series A as first privacy AI platform takes off

    1 July 2026

    Crypto Exchange OKX wants AI agents to hire and pay each other

    30 June 2026

    Startup Battlefield 200 applications close today

    27 May 2026

    5 days left: Save up to $410 on Disrupt 2026 passes

    25 May 2026

    As crypto cools, a16z crypto raises $2.2 billion in capital

    6 May 2026
  • Fintech

    India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

    28 June 2026

    Early Bird pricing ends tonight for the Founder Summit

    26 June 2026

    4 days left to save up to $190 on Founder Summit 2026

    23 June 2026

    Robinhood’s note on 10% layoffs shows that blaming AI doesn’t cut it

    17 June 2026

    Anthropic’s latest spat with the Trump administration may actually help it, sales figures suggest

    17 June 2026
  • Hardware

    Smart glasses maker Even Realities hits $1 billion valuation with $150 million in funding led by Meituan, Tencent

    6 July 2026

    5 office gadgets that can make your work day better

    6 July 2026

    IQM, Europe’s first public quantum company, admits that the future of the technology is uncertain

    3 July 2026

    Thiel Capital’s Jack Selby commits stakes in hot startups like Etched through Arizona connections

    3 July 2026

    Ashton Kutcher is leaving Sound Ventures to start a new VC firm with Morgan Beller

    2 July 2026
  • Media & Entertainment

    New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

    4 July 2026

    Cloudflare’s new policy pushes AI companies to pay for publishers’ content

    1 July 2026

    Watch out, Amazon: The Kobo eReader now has a Goodreads rival

    29 June 2026

    YouTube Shorts just got even shorter with an update that lets you double the playback speed

    25 June 2026

    Deezer says its new feature allows fans to remix songs with the artist’s consent

    24 June 2026
  • Security

    Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

    3 July 2026

    The US government says it’s been hacked — again

    2 July 2026

    In major privacy victory, Supreme Court rules that geo-trafficking warrants are protected by privacy rights

    29 June 2026

    The Klue hack results in a data breach at several cybersecurity companies

    26 June 2026

    Cellebrite said it cut off Russia, but Russia used its tools anyway

    26 June 2026
  • Startups

    Your Brand Deserves Its Own Stage — TechCrunch Disrupt 2026 Side Events

    4 July 2026

    The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

    3 July 2026

    Last chance to apply — Startup Battlefield Australia applications close on 6 July

    3 July 2026

    Arcturus could halve grid electrical losses using nano-infused metals

    2 July 2026

    Indian tech tycoon bets $30 million of his own money to build AI alternative to Microsoft Office

    2 July 2026
  • Transportation

    Chevy built an all-American EV truck — why isn’t anyone buying it?

    3 July 2026

    Rivian raises EV sales forecast as second-quarter production ramps up

    3 July 2026

    Lucid Motors CFO steps down as new CEO continues leadership shakeup

    2 July 2026

    Tesla begins testing Cybercab without pedals or steering wheel in Austin

    2 July 2026

    Lime is starting life as a public company after years of uncertainty

    1 July 2026
  • Venture

    What are bending spoons? The little-known owner of AOL and Vimeo who is now public

    5 July 2026

    After $18B IPO, Bending Spoons Founder Says Success Comes From Minimizing Luck

    2 July 2026

    Bending Spoons defies SaaS slump, up 40% on first day of trading

    2 July 2026

    The DeepMind trio that created a poker AI is now making money for quantitative hedge funds

    1 July 2026

    Patronus AI lands $50 million to create ‘digital worlds’ that stress-test AI agents

    26 June 2026
  • Recommended Essentials
TechTost
You are at:Home»Security»Your mobile password manager can reveal your credentials
Security

Your mobile password manager can reveal your credentials

techtost.comBy techtost.com7 December 202304 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
Your Mobile Password Manager Can Reveal Your Credentials
Share
Facebook Twitter LinkedIn Pinterest Email

Some popular mobile password managers accidentally spill user credentials due to a vulnerability in the autofill feature of Android apps.

The vulnerability, called “AutoSpill,” can expose stored user credentials from mobile password managers, bypassing Android’s secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented the research them at Black Hat Europe this week.

The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a WebView login page, password managers can become “disoriented” about where to target the user’s login credentials and instead expose their credentials to the underlying application. native fields, they said. This is because WebView, the pre-installed engine from Google, allows developers to display web content in-app without launching a web browser and an autocomplete request is generated.

“Let’s say you’re trying to sign in to your favorite music app on your mobile device and you use the ‘sign in with Google or Facebook’ option. The music app will open a Google or Facebook sign-in page within itself through WebView,” Gangwal explained to TechCrunch ahead of Black Hat’s presentation on Wednesday.

“When the password manager is called upon to autofill credentials, ideally, it should autofill only on the loaded Google or Facebook page. However, we found that the autofill feature could accidentally expose credentials to the core application.”

Gangwal notes that the implications of this vulnerability, particularly in a scenario where the underlying application is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to sign in through another website, such as Google or Facebook, can automatically access sensitive information.”

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most apps were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were vulnerable to the AutoSpill vulnerability.

Gangwal says he notified Google and affected password managers about the flaw.

1Password CTO Pedro Canahuati told TechCrunch that the company has identified and is working on a fix for AutoSpill. “While the fix will further strengthen our security posture, 1Password’s autofill feature is designed to require the user to take explicit action,” said Canahuati. “The update will provide additional protection by preventing native fields from being populated with Android WebView-only credentials.”

Guardian CTO Craig Lurey said in remarks shared with TechCrunch that the company was notified of a potential vulnerability, but did not say whether it had made fixes. “We requested a video from the researcher to demonstrate the reported problem. Based on our analysis, we determined that the researcher had first installed a malicious application and then accepted a prompt from Keeper to force the association of the malicious application with a Keeper password record,” Lurey said.

Keeper said it “protects users from auto-filling credentials on an untrusted app or website that was not explicitly authorized by the user” and recommended that the researcher submit their report to Google “as it specifically relates to the Android platform.” “

Google and Enpass did not respond to TechCrunch’s questions. Alex Cox, manager of LastPass’ threat intelligence, mitigation and escalation team, told TechCrunch that before learning of the researchers’ findings, LastPass already had a mitigation in place via an in-product pop-up warning when the app detected they were trying to exploit the exploit . “After analyzing the findings, we added more informative wording to the pop-up,” Cox said.

Gangwal tells TechCrunch that researchers are now investigating the possibility that an attacker could extract credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.

Updated with comment from LastPass.

Android credentials cyber security Exclusive manager Mobile password password manager reveal
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleAfter e-signatures, Tomorro believes e-contracts will be the next thing
Next Article Google announces Cloud TPU v5p, its most powerful AI accelerator yet
bhanuprakash.cg
techtost.com
  • Website

Related Posts

Midjourney wants Hollywood studios to reveal the details of their use of artificial intelligence

5 July 2026

Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

3 July 2026

The US government says it’s been hacked — again

2 July 2026
Add A Comment

Leave A Reply Cancel Reply

Don't Miss

If you use Google, you train its AI. See how you can opt out.

6 July 2026

Apple is bringing back card payments for Apple Account purchases in India after a four-year hiatus

6 July 2026

Smart glasses maker Even Realities hits $1 billion valuation with $150 million in funding led by Meituan, Tencent

6 July 2026
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Fintech

India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

28 June 2026

Early Bird pricing ends tonight for the Founder Summit

26 June 2026

4 days left to save up to $190 on Founder Summit 2026

23 June 2026
Startups

Your Brand Deserves Its Own Stage — TechCrunch Disrupt 2026 Side Events

The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

Last chance to apply — Startup Battlefield Australia applications close on 6 July

© 2026 TechTost. All Rights Reserved
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer

Type above and press Enter to search. Press Esc to cancel.