Auto-fill Identity with Chrome Browser Extension not working (prospective user)

[Stephen]

Hi Enpass Staff,

I'm dissatisfied with Lastpass Premium and am considering Enpass as an alternative. 
I'm currently trialing Enpass to see if the feature set is comparable and worth the transition. 
I have the Windows 10 (Build 1903 64-bit) Desktop app, the Chrome extension (on Version 79.0.3945.88 (Official Build) (64-bit)) and now the Android app.
As per the discussion here it appears that auto-fill for saved identities has been implemented. 

One of the primary reasons I'm transitioning away from Lastpass is the extremely poor customer service I received while reporting a phishing vulnerability. I want to ensure Enpass is not vulnerable to the same "hidden field" auto-fill vulnerability that Lastpass (and Chrome) are. I attempted to test to see if this is the case on the Github page of the developer who discovered it: https://anttiviljami.github.io/browser-autofill-phishing/
But I can't seem to get the identity to auto-fill from the Chrome extension.
To test whether it was that specific form that could not be filled, I went to a basic HTML form on w3schools to see if I could auto-fill the fields using the saved Identity - and it doesn't appear that I am able to.

Am I missing something? As per the article, auto-fill for identity was implemented in 2016, but based on my experience thus far that doesn't seem to actually be the case.

 

Edited December 29, 2019 by Stephen

[Tahreem]

Hello @Stephan,

Thanks for showing interest in Enpass.

The auto-filling details via Identity will work differently. Like the login items, the identities aren't stored or showed by default for any webpage. We have a dedicated 'Identity' tab in the Enpass browser extension (see attached screenshot) which you will need to click to view and then double click the item to fill the details.

I hope this clarifies!

[Stephen]

Hi @Tahreem,
Thanks for responding. 
I should have been more explicit as to what I was doing. I am indeed double-clicking on the identities in the browser extension menu and it wasn't working.
I just determined that the identities imported from Lastpass had First Name and Last Name field labels imported like so:
First Name, Last Name (capital N)
Apparently, the field label matching is case-sensitive in Enpass instead of fuzzy matching. I'm assuming this because once I opened the edit for the identity and filled the default Enpass fields: "First name" and "Last name" without N capitalized, I was able to fill the fields with labels matching "First name" and "Last name".

I tested the hidden field phishing example at https://anttiviljami.github.io/browser-autofill-phishing/ and it looks like Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled. 
This is a critical risk for people who have their Social Security numbers filled in their Enpass identities.
I'm going to pass on purchasing Enpass unless/until this issue is addressed.
 

Edited January 6, 2020 by Stephen

[Kashish]

Hello @Steph@n,

Thanks for explaining the problem details. We'd been busy identifying the issue and look for a solution to them.

On 1/7/2020 at 12:37 AM, Stephen said:

I just determined that the identities imported from Lastpass had First Name and Last Name field labels

Enpass currently doesn't support auto-fill of the identities that have been imported from other PW managers. You can, however, create a similar identity within Enpass and auto-fill. 

On 1/7/2020 at 12:37 AM, Stephen said:

Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled. 

We acknowledge your feedback and thank you for highlighting this. Our team has started working on the vulnerability and we'll be releasing a fix for this in the forthcoming updates.

Let us know if you have any other suggestions.

Thanks.