Skip to main content
December 7, 2023
Question

AutoSpill information

  • December 7, 2023
  • 11 replies
  • 1463 views

I am looking for 1Password's release about how it will be mitigating our exposure to the AutoSpill vulnerability.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

11 replies

1p_jac
1Password Employee
December 7, 2023

Hi @CrustyOldSysAdmin

At 1Password, protecting your most important data is our utmost priority. A fix for AutoSpill has been identified and is currently being worked on.

This fix is designed to enhance our security measures. It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields.

It's important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.

We remain committed to continuously improving our security features to safeguard your digital information, and we value the trust you place in 1Password.

December 11, 2023

If autofill is disabled in 1Password, would that protect against Autospill on Android?

December 12, 2023

Hi!

It would be absolutely fine if I have to confirm every autofill action actively. If biometric activation is enabled, a fingerprint would also be okay. This could possibly be enabled or disabled via an app setting. In the end, this would be the current behavior if the 1Password app is not yet running in the background and has already been activated.

December 12, 2023

I disabled autofill for 1Password as the article says Google password manager is not subject to the same attack.

But just how does 1Password's requirement for "explicit user action for operation" protect/mitigate this vulnerability? When I get the prompt for "explicit action" what do I look for to make sure it's not also going in to a "native app field?"

January 28, 2024

Any update on if this fix has been released yet?
I've checked the release notes for Android but didnt see anything for Autospill

February 22, 2024

Is Autospill only a risk on Android phones, or are iphones using Google also susceptible?

February 25, 2024

@ricknfli - If you mean using Google's search engine on an iPhone you will not be in any danger from Autospill, it's just an Android issue.

Further reading here if interested!
https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers/

February 26, 2024

Thank you SimpleMindedFool.

1P_Dave
1Password Employee
March 1, 2024

Hello everyone,

As mentioned by my colleague, a fix for AutoSpill has been identified and is currently being worked on. The fix is designed to enhance our security measures and will be released as soon as possible.

I wanted to quote the following for anyone who might have missed it from earlier in the thread:

It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields. It's also important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.

I've made a note to update this thread as soon as I'm able to share more.

-Dave

March 1, 2024

But when? The fix was identified 3 months ago. When will it be released? Thanks.