AutoSpill information
I am looking for 1Password's release about how it will be mitigating our exposure to the AutoSpill vulnerability.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
At 1Password, protecting your most important data is our utmost priority. A fix for AutoSpill has been identified and is currently being worked on.
This fix is designed to enhance our security measures. It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields.
It's important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.
We remain committed to continuously improving our security features to safeguard your digital information, and we value the trust you place in 1Password.
2 -
If autofill is disabled in 1Password, would that protect against Autospill on Android?
1 -
Hi!
It would be absolutely fine if I have to confirm every autofill action actively. If biometric activation is enabled, a fingerprint would also be okay. This could possibly be enabled or disabled via an app setting. In the end, this would be the current behavior if the 1Password app is not yet running in the background and has already been activated.
0 -
I disabled autofill for 1Password as the article says Google password manager is not subject to the same attack.
But just how does 1Password's requirement for "explicit user action for operation" protect/mitigate this vulnerability? When I get the prompt for "explicit action" what do I look for to make sure it's not also going in to a "native app field?"
0 -
Any update on if this fix has been released yet?
I've checked the release notes for Android but didnt see anything for Autospill2 -
Is Autospill only a risk on Android phones, or are iphones using Google also susceptible?
0 -
@ricknfli - If you mean using Google's search engine on an iPhone you will not be in any danger from Autospill, it's just an Android issue.
Further reading here if interested!
https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers/1 -
Thank you SimpleMindedFool.
0 -
Hello everyone,
As mentioned by my colleague, a fix for AutoSpill has been identified and is currently being worked on. The fix is designed to enhance our security measures and will be released as soon as possible.
I wanted to quote the following for anyone who might have missed it from earlier in the thread:
It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields. It's also important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.
I've made a note to update this thread as soon as I'm able to share more.
-Dave
1 -
But when? The fix was identified 3 months ago. When will it be released? Thanks.
0 -
Hello folks,
With the release of 1Password for Android 8.10.30, you’ll now be warned before you autofill if 1Password can’t verify the app or domain. Although 1Password’s autofill already required explicit user action, this fix enhances 1Password’s security measures by ensuring that only the fields in the appropriate Android WebView are autofilled, preventing unintended credential entry into native app fields.
If you haven’t updated yet then follow the steps in our guide: How to keep 1Password up to date
Thank you all for your patience while our team worked to develop and release an effective and secure response to the “AutoSpill” issue. As a reminder, the issue could only be exploited under certain very limited conditions and the latest version of 1Password for Android mitigates those scenarios.
-Dave
1
