Jump to content
ctrl_alt_pasta

Master password retrievable from a memory dump of a locked database

Recommended Posts

After seeing a tweet from someone able to get a master password from a memory dump on Linux, I tried it my self and was able to get a password from a locked database. This is on Windows 10 running creators update.

Here is a screenshot.

CaptureEnpass.JPG

  • Like 1

Share this post


Link to post
Share on other sites

Hi @ctrl_alt_pasta

Thanks for writing in. We are aware of this issue, and are on it to fix it very soon.

When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like  key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC.

But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. 

Meanwhile, we request our beloved users to please bear with us.

Share this post


Link to post
Share on other sites
4 hours ago, Vikram Dabas said:

Hi @ctrl_alt_pasta

Thanks for writing in. We are aware of this issue, and are on it to fix it very soon.

When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like  key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC.

But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. 

Meanwhile, we request our beloved users to please bear with us.

Thank you for the response.

Share this post


Link to post
Share on other sites

Hi Anshu kumar,

nice to hear that this issue is fixed in version 5.5.3.

But what is with the portable version 5.3.0.

Does this portable-version have that issue too?

And if when do you fix this security-bug?

Share this post


Link to post
Share on other sites

Hi @ussamkusser

Thanks for writing in. Yes, the portable version also had this issue but the good news is that it has already been fixed. An update of the portable version is already in the testing phase and will be available soon. Till then I request you to please bear with us.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...