Jump to content
Enpass Discussion Forum

Passwordstate password manager breach


Recommended Posts

Hey Enpass devs!  I just read about a breach with a manager called "Passwordstate".  Apparently their third-party upgrade mechanism injected malware into the update and now thousands of users had their passwords and other info stolen directly out of their managers.  Talk about a nightmare scenario!  

  • What does the Enpass updater mechanism look like? 
  • Is that maintained by Enpass alone?
  • How secure is the updater scheme?

Thanks!  My family are all committed Enpass users (multiple screens & PCs).

Link to comment
Share on other sites

Hi @electrolund,

I can understand the worry of our users after this incident. I would like to provide some explanation about delivery channels and tools we use:

We have our own system to notify updates and distribution  apart from standard app stores. All Enpass builds are automated and scanned against virustotal service to eliminate human error.

App stores:
Most of the Enpass installations happens through Various App stores (Apple store for macOS and iOS, Windows store and Google Play store), that does not require any third party installer. Updates are also handled by corresponding App stores.

Distributed via our website:
All the download happens through our own servers only and over https. In-built updater in Enpass for macOS and Windows, check for integrity after downloading an update.
1. macOS installer is built using standard pkg tools provided by apple.
2. Windows installer is built using latest version of widely known Open source wix tools.
3. Linux packages are distributed from our own signed apt and yum repositories.

Let me know if you have other queries.


Link to comment
Share on other sites

  • 3 weeks later...

Hi @Vinod Kumar

Couldn't there be a "flightmode" or something in Enpass? 

Or would such feature have to small audience? 

Supplychain-attacks aren't going away and with more and more builtin connectivity the risks for such inevitably increases. 

I'm thinking that would shut most outbound requests off. 

Disclaimers of less functionality, the need for manual update-checks, no favicons etc. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...