Jump to content
Stephen

Auto-fill Identity with Chrome Browser Extension not working (prospective user)

Recommended Posts

Hi Enpass Staff,

I'm dissatisfied with Lastpass Premium and am considering Enpass as an alternative. 
I'm currently trialing Enpass to see if the feature set is comparable and worth the transition. 
I have the Windows 10 (Build 1903 64-bit) Desktop app, the Chrome extension (on Version 79.0.3945.88 (Official Build) (64-bit)) and now the Android app.
As per the discussion here it appears that auto-fill for saved identities has been implemented. 

One of the primary reasons I'm transitioning away from Lastpass is the extremely poor customer service I received while reporting a phishing vulnerability. I want to ensure Enpass is not vulnerable to the same "hidden field" auto-fill vulnerability that Lastpass (and Chrome) are. I attempted to test to see if this is the case on the Github page of the developer who discovered ithttps://anttiviljami.github.io/browser-autofill-phishing/
But I can't seem to get the identity to auto-fill from the Chrome extension.
To test whether it was that specific form that could not be filled, I went to a basic HTML form on w3schools to see if I could auto-fill the fields using the saved Identity - and it doesn't appear that I am able to.

Am I missing something? As per the article, auto-fill for identity was implemented in 2016, but based on my experience thus far that doesn't seem to actually be the case.

 

Edited by Stephen

Share this post


Link to post
Share on other sites

Hello @Stephan,

Thanks for showing interest in Enpass.

The auto-filling details via Identity will work differently. Like the login items, the identities aren't stored or showed by default for any webpage. We have a dedicated 'Identity' tab in the Enpass browser extension (see attached screenshot) which you will need to click to view and then double click the item to fill the details.

I hope this clarifies!

identity.PNG

Share this post


Link to post
Share on other sites

Hi @Tahreem,
Thanks for responding. 
I should have been more explicit as to what I was doing. I am indeed double-clicking on the identities in the browser extension menu and it wasn't working.
I just determined that the identities imported from Lastpass had First Name and Last Name field labels imported like so:
First Name, Last Name (capital N)
Apparently, the field label matching is case-sensitive in Enpass instead of fuzzy matching. I'm assuming this because once I opened the edit for the identity and filled the default Enpass fields: "First name" and "Last name" without N capitalized, I was able to fill the fields with labels matching "First name" and "Last name".

I tested the hidden field phishing example at https://anttiviljami.github.io/browser-autofill-phishing/ and it looks like Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled. 
This is a critical risk for people who have their Social Security numbers filled in their Enpass identities.
I'm going to pass on purchasing Enpass unless/until this issue is addressed.
 

Edited by Stephen

Share this post


Link to post
Share on other sites

Hello @Steph@n,

Thanks for explaining the problem details. We'd been busy identifying the issue and look for a solution to them.

On 1/7/2020 at 12:37 AM, Stephen said:

I just determined that the identities imported from Lastpass had First Name and Last Name field labels

Enpass currently doesn't support auto-fill of the identities that have been imported from other PW managers. You can, however, create a similar identity within Enpass and auto-fill. 

On 1/7/2020 at 12:37 AM, Stephen said:

Enpass is also vulnerable to this identity fill exploit as the hidden fields are filled. 

We acknowledge your feedback and thank you for highlighting this. Our team has started working on the vulnerability and we'll be releasing a fix for this in the forthcoming updates.

Let us know if you have any other suggestions.

Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...