Jump to content
Enpass Discussion Forum

Can someone spoof a login?


Recommended Posts

2 hours ago, Ivarson said:

Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill. 

But only the items with the same domain name are shown.

Edited by Tobias S.
Link to comment
Share on other sites

Of course, maybe i was a bit misleading. The point is that Enpass doesn't do security validation on the URLs you're doing autofill on.

That's part of the reason the devs require the user to hit autofill via the hotkey or plugin-button.

The security has to lie in you, your OS and the browswer.


Like when you visit your home router at "192.168.x.1" which of course isnt even an dnsname. At best, you've got a self-signed certificate which the browser hopefully warns you about, That does encrypt the traffic but doesnt ensure the identity of the router. Enpass doesn't care though, neither should it imho.

Edited by Ivarson
Link to comment
Share on other sites

Hi @ctrl_alt_pasta,

What @Ivarson said is certainly right. Enpass doesn't do any security validation for you. Your browser is equipped with the best tools to do any security validations about identity of host. Constant updates are provided to guard against spoofing attacks like address bar spoofing. So, one should always pay attention to browser address bar warnings for broken or invalid certificates.

However before autofilling, Enpass always match the domain name for saved items and shows only relevant items. This protects you against phishing attacks with look-alike domains.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Create New...