Jump to content
Enpass Discussion Forum

Leaderboard

Popular Content

Showing content with the highest reputation on 08/16/2021 in all areas

  1. @Garima Singh: Are there any news regarding this problem? In June you said that you will prioritize it and fix it asap...
    1 point
  2. When will the problem finally be fixed? the thread is now 1.5 years old ??? Personally, I've had the problem since the release of macOS 11.
    1 point
  3. New Version 6.6.3 => Same Problem I can't understand why it takes months to fix such a small problem.
    1 point
  4. Hi @UdhayanithiG, Thanks for raising the question. The short answer is NO. The article mostly discussed about autofill extension of online password managers which injects their UI/chrome into web page and interact with their server. This additional chrome can be exploited by clickjacking or exposed server endpoints can be accessed by additional scripts because they live in the same shared space i.e. the webpage. Here are few points how Enpass is immune to such attacks: 1. Enpass does inject only limited script to detect presence of forms that user may want to autofill. It does not inject any chrome/UI that can be clickjacked. The autofill UI is a separate process than the browser and immune to such attacks. 2. The connection between local application and browser extension is authenticated by user via manual pairing mechanism by user and communication is encrypted with a shared key which malicious scripts can't access. 3. Enpass, by default, requires user intervention before supplying any credential to webpage. In future, if Enpass introduce a feature that require additional UI injection in the webpage to increase user convenience that would certainly be inside the attack surface mentioned in the article. But be assured such a feature will be optional and you can keep Enpass extension in a configuration as it is today. Cheers:)
    1 point
×
×
  • Create New...