Jump to content
Enpass Discussion Forum

Vinod Kumar

Enpass team member
  • Posts

    509
  • Joined

  • Days Won

    42

Posts posted by Vinod Kumar

  1.  

    23 minutes ago, Ivarson said:

    The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service?

    WiFi sync is a different service than this. The http service mentioned is used by mobile apps for manual vault "Backup and Restore over Wi-Fi".  Just because Enpass Core part (C++) is shared across all platforms, buffer overflow was found in source code audit.

    Desktop apps do not use this service.

    • Like 1
    • Thanks 2
  2. Thanks @Ivarson. You are 100% right here. 

    @sxc4567PIN locking is a convenience feature and only restricts app access. It does not close the underlaying SQLCipher database handle and an unencrypted database page may still be there in process memory. However, there is an additional level of encryption for the stored passwords with a per item obfuscation key to prevent direct visibility in memory for this case. Though, an attacker with advanced skills can still find the obfuscation keys and decrypt it.

    Locking with master password is the safest option for Linux as it will close all underlying resources too.

    Cheers:)

    • Like 4
  3. Hi @sxc4567

    I can understand the risks associated with this unfortunate situation. We use both mlock (to exclude memory from swap) and madvice (to exclude memory from dumps) for critical memory allocations. Please read this old reply to understand how much of the sensitive data is available in memory as plain text at a given time and how memory sanitization works in Enpass.

    We are continuously working to improve the security of Enpass and prioritized a memory sanitization review task to specifically handle this situation.

    Regards,

    • Like 2
    • Thanks 2
  4. Hi @phoenix1386,

    Thanks for writing back. We will reach Apple about this glitch.

    The original issue in the thread, "Look Me Up By Email" is totally unrelated to the group container screenshot provided by you. It looks similar due to "7ADB8CC6TF.in.sinew.*" prefix is due to our company id on Apple store and may appear on multiple places.

    Please let us know, where exactly you are seeing the group container in screenshot is being synced to iCloud?

    2124604506_Screenshot2021-08-19at2_17_03AM.png.bb721b02847b181a888ad3c9b45010cc.png

  5. Hi @phoenix1386,

    The group container folder issue, the one you mentioned, is entirely different issue. We don't know what configuration on your system causes it to available on iCloud. Enpass does not sync that folder with iCloud. Just for information, that folder does not contains your sensitive Vault data but info to establish connection between Enpass and its Safari extension.

    Can you provide some more details about how you have configured iCloud to backup your system files?

  6. Hi all,

    Thank you for your patience. I discussed with the team about the issue and would like to throw some light upon why we are not able to fix the issue.

    Why this permission

    To let user use iCloud sync feature in non-store App and multiple iCloud accounts, we use CloudKit Webservices APIs CloudKit Web Services Reference: About CloudKit Web Services (apple.com). It includes following authorization & permission grant flow:

    1. When user want to connect with his iCloud storage, Enpass will launch a browser to sign-in his apple account and grant permission to use iCloud CloudKit APIs.
    2.  We need email of user to avoid multiple account conflict in Enpass and inform user which Apple/iCloud id they are syncing their data and the "Look me up by email" is our only option. So, authorization include a page to explicitly grant "Look me up by email". If you deny this at this point, Enpass will not show your account information in Enpass app. Also, your app will not appear in "Look me up by email" list.

    Please note that, in any case your iCloud access token or any data never reaches or linked with our server. All above mentioned process are restricted between locally installed Enpass app and your iCloud account.

    Fixing Privacy concerns

    Apple keeps track of Apps for whom you have provided "Look me up by email" access during authorization. You can see these in macOS settings or iCloud web interface. If you have privacy concerns, you can disable "Look me up by email", simply by unchecking Enpass app from there and Enpass will not be able to use this feature. Technically, now Enpass can’t not look you by email and from privacy point of view it is solved.

    UI issue

    Now the only question remains, why it is even listed  "Look me up by email" list even when unchecked? It’s a UI/cleanup issue rather than privacy issue. Unfortunately, Apple does not provide a way for users to remove App from that list or unlink App completely. Removing permissions, unlinking apps is something that is always in control of provider not apps. So, this is something that is not fixable from our side.

    • Like 1
  7. Hi @ButisitArt57

    On macOS, Enpass copies data to clipboard with a flag (org.nspasteboard.TransientType) that the data should not be recorded in pasteboard history due to sensitive nature of data. Only the clipboard managers that are not supporting this flag or configured to ignore this will save data to its history.

    Quote
    • org.nspasteboard.TransientType: This marker’s presence indicates content will be on the pasteboard only momentarily. The pasteboard will either be restored to previous content, or the current content will be replaced within seconds. Data marked transient should not be recorded or displayed in a pasteboard history.

    Maybe you should look for some settings in your clipboard manager to control the behaviour for this flag. However, we advice against it as your clipboard history might get stored on disk un-encrypted and defeat the purpose of having a password manager.

    Thanks.

  8. Hi @Ivarson,

    Thanks for bringing this into our notice. You are right we should have provided a better warning message.

    Icons are not treated as sensitive data and are for UI enhancement only. Obfuscating cache filename can avoid causal guessing but will not resolve the problem completely. Also, different devices resolutions, scrolling performance issues & complex updating mechanisms are few situation where we decided to avoid storing them in the main database. This was a trade-off decision we made than. Maybe it’s the time we look for alternate strategy that satisfy all the requirements.

    Thanks.

    • Like 1
  9. Hi @UdhayanithiG,

    Thanks for raising the question. The short answer is NO.

    The article mostly discussed about autofill extension of online password managers which injects their UI/chrome into web page and interact with their server. This additional chrome can be exploited by clickjacking or exposed server endpoints can be accessed by additional scripts because they live in the same shared space i.e. the webpage. Here are few points how Enpass is immune to such attacks:

    1. Enpass does inject only limited script to detect presence of forms that user may want to autofill. It does not inject any chrome/UI that can be clickjacked. The autofill UI is a separate process than the browser and immune to such attacks.

    2. The connection between local application and browser extension is authenticated by user via manual pairing mechanism by user and communication is encrypted with a shared key which malicious scripts can't access.

    3. Enpass, by default, requires user intervention before supplying any credential to webpage.

    In future, if Enpass introduce a feature that require additional UI injection in the webpage to increase user convenience that would certainly be inside the attack surface mentioned in the article. But be assured such a feature will be optional and you can keep Enpass extension in a configuration as it is today.

    Cheers:)

    • Like 3
  10. Hi @buyrsr,

    I understand your concern about availability of data. You can always export data from Enpass to json format, that contains complete details of your data that can be used by a software tool. Also, Enpass uses open-source SQLCipher for database file. Enpass derives a key from the master password with PBKDF2-HMAC-SHA512 100K iterations (outside of SQLCipher) and uses it as the raw key for SQLCipher. You can find few opensource implementations to read Enpass database file on github.

    Thanks.

     

     

  11. Hi @electrolund,

    I can understand the worry of our users after this incident. I would like to provide some explanation about delivery channels and tools we use:

    We have our own system to notify updates and distribution  apart from standard app stores. All Enpass builds are automated and scanned against virustotal service to eliminate human error.

    App stores:
    Most of the Enpass installations happens through Various App stores (Apple store for macOS and iOS, Windows store and Google Play store), that does not require any third party installer. Updates are also handled by corresponding App stores.


    Distributed via our website:
    All the download happens through our own servers only and over https. In-built updater in Enpass for macOS and Windows, check for integrity after downloading an update.
    1. macOS installer is built using standard pkg tools provided by apple.
    2. Windows installer is built using latest version of widely known Open source wix tools.
    3. Linux packages are distributed from our own signed apt and yum repositories.

    Let me know if you have other queries.

    Cheers:)

  12. Hi @Fab8

    Unlocking via PIN is more of a convenience feature rather than security. In case of PIN, Enpass restricts access to data through User Interface without locking down the database. After three failed attempts, the database will be closed and a master password will be required next time.

    20 hours ago, Fab8 said:

    In case someone gets acess to an unlocked Mac with enpass locked with PIN (instead master passwors):

    May it be possible that this person (that is is pretty much into IT / has former computer skills) could gain access to data saved in enpass?

    Your master password does not remain in memory any time after initial unlock of database. However, running sophisticated attacks with administrative privileges are still possible. We recommend against using PIN in such environments.

    :)

    • Like 1
  13. Hi @chrismin13,

    Thanks for your efforts to bundle Enpass for snap store. We are a short on team to handle all kind of packaging. We will give you explicit permission to redistribute our software for snap store. Please share your email id in PM.  

    As about other bugs, issue 1 can be resolved from our side by checking a Environment variable set by snap. Browser extension connection requires permissions to require system commands like readlink/netstat/lsof and a port open on localhost. Team is investigating the issues and possible fixes.

    Thanks,
    Vinod

    • Like 2
  14. Hi @Trendsetter,

    Password strength in Enpass is calculated using zxcvbn algorithm. Calculation by this method not solely rely based on length but depends upon different kind of patterns too. An additional character introduction may not necessarily result in increased strength if it introduces a pattern match according to algorithm. Please visit following link for more info.

    https://www.enpass.io/docs/security-whitepaper-enpass/miscellaneous.html#password-strength-estimation

    https://github.com/dropbox/zxcvbn

    Thanks.

     

×
×
  • Create New...