Jump to content

Stephen

Members
  • Content Count

    2
  • Joined

  • Last visited

Everything posted by Stephen

  1. Hi @Tahreem, Thanks for responding. I should have been more explicit as to what I was doing. I am indeed double-clicking on the identities in the browser extension menu and it wasn't working. I just determined that the identities imported from Lastpass had First Name and Last Name field labels imported like so: First Name, Last Name (capital N) Apparently, the field label matching is case-sensitive in Enpass instead of fuzzy matching. I'm assuming this because once I opened the edit for the identity and filled the default Enpass fields: "First name" and "Last name" without N capitalized, I was able to fill the fields with labels matching "First name" and "Last name". I tested the hidden field phishing example at https://anttiviljami.github.io/browser-autofill-phishing/ and it looks like Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled. This is a critical risk for people who have their Social Security numbers filled in their Enpass identities. I'm going to pass on purchasing Enpass unless/until this issue is addressed.
  2. Hi Enpass Staff, I'm dissatisfied with Lastpass Premium and am considering Enpass as an alternative. I'm currently trialing Enpass to see if the feature set is comparable and worth the transition. I have the Windows 10 (Build 1903 64-bit) Desktop app, the Chrome extension (on Version 79.0.3945.88 (Official Build) (64-bit)) and now the Android app. As per the discussion here it appears that auto-fill for saved identities has been implemented. One of the primary reasons I'm transitioning away from Lastpass is the extremely poor customer service I received while reporting a phishing vulnerability. I want to ensure Enpass is not vulnerable to the same "hidden field" auto-fill vulnerability that Lastpass (and Chrome) are. I attempted to test to see if this is the case on the Github page of the developer who discovered it: https://anttiviljami.github.io/browser-autofill-phishing/ But I can't seem to get the identity to auto-fill from the Chrome extension. To test whether it was that specific form that could not be filled, I went to a basic HTML form on w3schools to see if I could auto-fill the fields using the saved Identity - and it doesn't appear that I am able to. Am I missing something? As per the article, auto-fill for identity was implemented in 2016, but based on my experience thus far that doesn't seem to actually be the case.
×
×
  • Create New...