How Dashlane Protects You From “AutoSpill”
Researchers from the International Institute of Information Technology Hyderabad recently published research detailing the “AutoSpill” exploit on Android. This vulnerability could allow an attacker to bypass the security mechanisms protecting the autofill functionality on Android devices, causing certain credential managers to autofill excess fields in Android WebView and potentially exposing user information. It is important to note that this attack requires a malicious app to be installed on a user’s device.
Dashlane has existing safeguards that protect users against this attack. Moreover, while investigating the issue, we discovered a way to further improve our resistance to this attack vector. That upgrade to our security mechanisms was deployed to all Dashlane Android apps in Dashlane version 6.2349. Customers with an Android device should make sure they’re on the latest Dashlane version.
How AutoSpill works
Android users should be able to autofill fields on a webpage loaded within an app (called a webview) and log in to their desired website. However, the researchers identified that certain credential managers also autofill fields outside the webview in the app itself. If a user has opened a malicious app, this means that credentials could be leaked outside of the website users are trying to log in to.
Dashlane’s safeguards
While the researchers stated that they had seen no evidence that this issue has been exploited in the wild, we wanted to reassure our customers that Dashlane has existing safeguards that protect against this type of attack. Our autofill technology uses heuristics to understand exactly the fields a user intends to autofill and the data that should be inside, preventing the automatic filling of excess fields.
Dashlane users are also alerted before they attempt to autofill a credential inside an unknown or untrusted app. This way, users can decide for themselves if they trust the app and if Dashlane should really autofill an app that is not recognized as being part of their vault.
More on our Autofill process
Rather than simply filling in a list of fields when prompted, Dashlane’s autofill technology uses a heuristic process to identify the field that is the best candidate to be autofilled.
Based on this analysis, we autofill the best candidate field for each type of data (username, password, and so on) and leave the other fields unchanged.
To avoid AutoSpill, Dashlane is able to identify that a user wants to autofill their Facebook.com information, for example, inside the fields belonging to the Facebook.com website and not elsewhere.
A solution for the Android Autofill API
The AutoSpill issue ultimately arises from the manner in which the Android OS system operates. The current Android Autofill API provides credential managers with many fields to fill, making it difficult to distinguish which fields are intended to be autofilled, and which are excessive or malicious.
In order for the AutoSpill security issue to be fixed for all credential managers, we recommend that Google deploy a patch on the Autofill API. A solution would be to only provide information about the fields inside the WebView instead of all the fields of the app. This is already what the Android OS is doing when the user launches the Autofill from the native app fields: In this case, credential managers would get no information about the webpage, and it would effectively protect everyone against the AutoSpill attack. This would be the fastest way to resolve this issue.
However, as explained in this article, Dashlane protects users against these attacks.
Our team follows security research closely and uses those learnings to continuously evolve our security architecture.
Sign up to receive news and updates about Dashlane