Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Former Member
2 years agoAutoSpill information
I am looking for 1Password's release about how it will be mitigating our exposure to the AutoSpill vulnerability.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
- 1p_jac
1Password Team
Hi @CrustyOldSysAdmin
At 1Password, protecting your most important data is our utmost priority. A fix for AutoSpill has been identified and is currently being worked on.
This fix is designed to enhance our security measures. It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields.
It's important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.
We remain committed to continuously improving our security features to safeguard your digital information, and we value the trust you place in 1Password.
- SimpleMindedFoolNew Contributor
Any update on if this fix has been released yet?
I've checked the release notes for Android but didnt see anything for Autospill - Former Member
If autofill is disabled in 1Password, would that protect against Autospill on Android?
- SimpleMindedFoolNew Contributor
ricknfli - If you mean using Google's search engine on an iPhone you will not be in any danger from Autospill, it's just an Android issue.
Further reading here if interested!
https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers/ - 1P_Dave
Moderator
Hello everyone,
As mentioned by my colleague, a fix for AutoSpill has been identified and is currently being worked on. The fix is designed to enhance our security measures and will be released as soon as possible.
I wanted to quote the following for anyone who might have missed it from earlier in the thread:
It's important to note that 1Password's autofill already requires explicit user action for operation. The update will bolster this security feature by ensuring that only the fields in Android's WebView are autofilled, preventing unintended credential entry into native app fields. It's also important to understand that the AutoSpill issue can only be exploited under very rare and specific conditions - first, if there's a malformed or malicious app installed on the device, and second, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions would need to be true to experience any vulnerability. Our update will mitigate these risks even further.
I've made a note to update this thread as soon as I'm able to share more.
-Dave
- 1P_Dave
Moderator
Hello folks,
With the release of 1Password for Android 8.10.30, you’ll now be warned before you autofill if 1Password can’t verify the app or domain. Although 1Password’s autofill already required explicit user action, this fix enhances 1Password’s security measures by ensuring that only the fields in the appropriate Android WebView are autofilled, preventing unintended credential entry into native app fields.
If you haven’t updated yet then follow the steps in our guide: How to keep 1Password up to date
Thank you all for your patience while our team worked to develop and release an effective and secure response to the “AutoSpill” issue. As a reminder, the issue could only be exploited under certain very limited conditions and the latest version of 1Password for Android mitigates those scenarios.
-Dave
- Former Member
Hi!
It would be absolutely fine if I have to confirm every autofill action actively. If biometric activation is enabled, a fingerprint would also be okay. This could possibly be enabled or disabled via an app setting. In the end, this would be the current behavior if the 1Password app is not yet running in the background and has already been activated.
- Former Member
I disabled autofill for 1Password as the article says Google password manager is not subject to the same attack.
But just how does 1Password's requirement for "explicit user action for operation" protect/mitigate this vulnerability? When I get the prompt for "explicit action" what do I look for to make sure it's not also going in to a "native app field?"
- ricknfliNew Contributor
Is Autospill only a risk on Android phones, or are iphones using Google also susceptible?
- ricknfliNew Contributor
Thank you SimpleMindedFool.