ExpressVPN’s response to the AutoSpill vulnerability

Recently, researchers at the International Institute of Information Technology at Hyderabad discovered a vulnerability dubbed “AutoSpill” in Android password managers. The vulnerability, presented at the Black Hat Europe conference, is said to leak user credentials from seven password managers’ Android apps.

While ExpressVPN Keys was not one of the seven password managers named in the research paper, we took proactive steps to do internal tests and ensure that our users were safe from all the issues found by the researchers. 

After a thorough evaluation, we can confirm that the vulnerability had very minimal impact on ExpressVPN Keys. We have also implemented additional improvements to our Android app to strengthen our security posture further.

What is AutoSpill?

The AutoSpill vulnerability exploits a flaw in the autofill functionality of Android devices, particularly when an app’s login page is loaded in WebView controls. WebView, the preinstalled default engine from Google, lets Android apps display web content in-app without launching a web browser. However, this becomes a potential point of confusion for password managers, where they might misdirect the autofill operation and expose user credentials to third-party apps. The full research paper provides a technical explanation of the vulnerability. 

It is important to note that the AutoSpill vulnerability can only be exploited under rare and specific conditions. Firstly, if there’s a malicious app installed on the user’s device, and secondly, if there is intentional interaction to fill in a questionable WebView within that app. Both conditions need to be met to experience any vulnerability. 

What we improved on Keys

We already have two existing mechanisms to prevent credential harvesting threats: 

1. We strictly require user interaction before credentials are populated, so users are always aware of the credentials they are autofilling. Anything that seems out of the ordinary will immediately sound alarm bells. 
2. We also require strict checks on the domain where the credentials are populated. In particular, we will only autofill credentials if the domain matches the one stored in Keys. If they are different, a warning is displayed and the user has to approve the request before the credentials are autofilled. We determine the correct domain via trusted API calls on the browser extension, Android, and iOS, rather than anything mutable from an attacker’s perspective.

We explain these mechanisms and other security measures we have implemented for Keys in our full security white paper.

In a small subset of apps, however, we discovered that Keys overrides the standard domain-based logic and will autofill based on the native app’s domain, disregarding the domain actually presented in WebView. While this makes Keys potentially vulnerable to AutoSpill, we’d like to reiterate that this only happens in a small handful of apps. In most cases, Keys correctly recognizes the domain for the web view instead of the domain view.

Thus, we conclude that the AutoSpill vulnerability had minimal impact on Keys. This is primarily due to the specific condition required for its exploitation: A malicious app must first be present on the user’s device. This prerequisite, which alone poses various security threats, places AutoSpill within a broader spectrum of mobile security risks. Understanding this helps put the vulnerability into perspective—it’s not an isolated threat but is instead part of wider security challenges in mobile app environments.

We’ve since deployed a fix to prevent AutoSpill in all cases and apps—even in rare, exceptional scenarios. The update ensures that:

• For an autofill request triggered from a WebView, we will only suggest to autofill the WebView field after checking the WebDomain. When a user takes explicit action to autofill the WebView field, we will autofill that field alone, preventing native app fields from being unintentionally filled.

• For an autofill request triggered from a native app field, we will only autofill native input fields.
  

This fix was deployed on December 15, 2023 (Android version 11.21.1), and we encourage users to update to the latest version of the Android app to enjoy the latest security improvements. We’re proud to have further strengthened our security posture with this update, and we appreciate the researchers for bringing this to the community’s attention.