I am looking for 1Password's release about how it will be mitigating our exposure to the AutoSpill vulnerability. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided

Hi @CrustyOldSysAdmin At 1Password, protecting your most important data is our utmost priority. A fix for AutoSpill has been identified and is currently being worked on. This fix is designed to enhance our security measures. It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields. It's important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further. We remain committed to continuously improving our security features to safeguard your digital information, and we value the trust you place in 1Password.

Any update on if this fix has been released yet? I've checked the release notes for Android but didnt see anything for Autospill

If autofill is disabled in 1Password, would that protect against Autospill on Android?

ricknfli - If you mean using Google's search engine on an iPhone you will not be in any danger from Autospill, it's just an Android issue. Further reading here if interested! https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers/

Hello everyone, As mentioned by my colleague, a fix for AutoSpill has been identified and is currently being worked on. The fix is designed to enhance our security measures and will be released as soon as possible. I wanted to quote the following for anyone who might have missed it from earlier in the thread: It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields. It's also important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further. I've made a note to update this thread as soon as I'm able to share more. -Dave

AutoSpill information | 1Password Community

1p_jac
1Password Team
2 years ago
Hi @CrustyOldSysAdmin

At 1Password, protecting your most important data is our utmost priority. A fix for AutoSpill has been identified and is currently being worked on.

This fix is designed to enhance our security measures. It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields.

It's important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.

We remain committed to continuously improving our security features to safeguard your digital information, and we value the trust you place in 1Password.

Forum Discussion

AutoSpill information

Recent Discussions

1Pwd desktop export is slow and may fail

Database Backup Failed every 5 minutes or so

Extend supported browsers list

macOS Password app interferes with passkeys

MacOS Your Account is Offline