Stephen
-
Posts
2 -
Joined
-
Last visited
Posts posted by Stephen
-
-
Hi Enpass Staff,
I'm dissatisfied with Lastpass Premium and am considering Enpass as an alternative.
I'm currently trialing Enpass to see if the feature set is comparable and worth the transition.
I have the Windows 10 (Build 1903 64-bit) Desktop app, the Chrome extension (on Version 79.0.3945.88 (Official Build) (64-bit)) and now the Android app.
As per the discussion here it appears that auto-fill for saved identities has been implemented.
One of the primary reasons I'm transitioning away from Lastpass is the extremely poor customer service I received while reporting a phishing vulnerability. I want to ensure Enpass is not vulnerable to the same "hidden field" auto-fill vulnerability that Lastpass (and Chrome) are. I attempted to test to see if this is the case on the Github page of the developer who discovered it: https://anttiviljami.github.io/browser-autofill-phishing/
But I can't seem to get the identity to auto-fill from the Chrome extension.
To test whether it was that specific form that could not be filled, I went to a basic HTML form on w3schools to see if I could auto-fill the fields using the saved Identity - and it doesn't appear that I am able to.
Am I missing something? As per the article, auto-fill for identity was implemented in 2016, but based on my experience thus far that doesn't seem to actually be the case.
Auto-fill Identity with Chrome Browser Extension not working (prospective user)
in Autofilling and Desktop Browser Extensions
Posted · Edited by Stephen
Hi @Tahreem,
Thanks for responding.
I should have been more explicit as to what I was doing. I am indeed double-clicking on the identities in the browser extension menu and it wasn't working.
I just determined that the identities imported from Lastpass had First Name and Last Name field labels imported like so:
First Name, Last Name (capital N)
Apparently, the field label matching is case-sensitive in Enpass instead of fuzzy matching. I'm assuming this because once I opened the edit for the identity and filled the default Enpass fields: "First name" and "Last name" without N capitalized, I was able to fill the fields with labels matching "First name" and "Last name".
I tested the hidden field phishing example at https://anttiviljami.github.io/browser-autofill-phishing/ and it looks like Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled.
This is a critical risk for people who have their Social Security numbers filled in their Enpass identities.
I'm going to pass on purchasing Enpass unless/until this issue is addressed.