Hi,
I'm evaluating several password managers, and Enpass made it to the short list. Although I haven't experienced an HTTP 500 error as MarkV described, I have some concerns regarding why it is necessary to append the data in the Enpass6AutoFill token to the query string of the URL. It wouldn't bother me at all if this data would only be accessible to the Enpass Browser extension(s), but a side effect of appending this data to the URL is that it is being sent to the server I'm logging into! The Enpass6AutoFill token looked to be Base64, so I decoded it. It looks to only contain UUID's identifying the records in the Enpass database related to the specific site I'm logging into. Not sure if a malicious or compromised web server could use this information; but regardless, sending any data to a server that is not absolutely necessary is bad security!
If I open a new tab in Safari, type http://www.netflix.com without appending the Enpass6AutoFill token, click on the icon for the Enpass Safari extension, double-click on the Netflix entry in Enpass, the username and password is filled in perfectly fine! So I'm not convinced that the Enpass6AutoFill token is required in order for the Safari browser extension to work properly as Ankur Gupta suggests.
So before I purchase licensed copies of Enpass for all my devices, why is it absolutely necessary to append the EnpassAutoFill token to the query string of the URL when clicking on the links within the Enpass desktop app? Has the potential of this information being exploited in some way been considered? What measures have been taken to ensure this information cannot be exploited?
