Hi @Daniel-san,
Thanks for your message. I really appreciate your awareness about the security of your data.
In one sentence, I can say that Enpass is not at all affected with this issue.
This link states how the passwords from Lastpass were revealed to unknown websites due to logical bug in using regular expressions, while in Enpass we have used proper function provided in SDK to extract the hostname from URL.
QString QUrl::host(ComponentFormattingOptions options = FullyDecoded);
When you visit any webpage with the URL say http://www.example.com/login/, and click the Enpass extension icon or press the shortcut key for autofilling, the whole URL is passed to main Desktop App which by using the above function extracts the hostname as www.example.com, from which the domain name would be further extracted as example.com. Now the main Enpass App finds the all matching items for example.com and transmits its icon, Title and subtitle to Enpass-Helper (part of Enpass App and not extension). Enpass-Helper display this information to user and waits for user to select the item for autofilling. (This step is bypassed if the user has requested autofill using shortcut key and only single item exists matching for that domain). Upon selection, the information of selected item is passed from Enpass-Helper to Enpass app which further supplies the username and password to Enpass browser extension. All this communication is secure and happens on localhost about which you can read more here in our user manual.
As you can see that most of the work is done in Enpass App itself rather than the extension and we keep updating our desktop App on regular basis, so you can confidently use Enpass and its browser extensions.
If you still have any doubts, please feel free to share with us.
Cheers and have fun with Enpass!
Hemant