electrolund Posted April 26, 2021 Report Posted April 26, 2021 Hey Enpass devs! I just read about a breach with a manager called "Passwordstate". Apparently their third-party upgrade mechanism injected malware into the update and now thousands of users had their passwords and other info stolen directly out of their managers. Talk about a nightmare scenario! What does the Enpass updater mechanism look like? Is that maintained by Enpass alone? How secure is the updater scheme? Thanks! My family are all committed Enpass users (multiple screens & PCs).
Vinod Kumar Posted April 27, 2021 Report Posted April 27, 2021 Hi @electrolund, I can understand the worry of our users after this incident. I would like to provide some explanation about delivery channels and tools we use: We have our own system to notify updates and distribution apart from standard app stores. All Enpass builds are automated and scanned against virustotal service to eliminate human error. App stores: Most of the Enpass installations happens through Various App stores (Apple store for macOS and iOS, Windows store and Google Play store), that does not require any third party installer. Updates are also handled by corresponding App stores. Distributed via our website: All the download happens through our own servers only and over https. In-built updater in Enpass for macOS and Windows, check for integrity after downloading an update. 1. macOS installer is built using standard pkg tools provided by apple. 2. Windows installer is built using latest version of widely known Open source wix tools. 3. Linux packages are distributed from our own signed apt and yum repositories. Let me know if you have other queries. Cheers:)
Ivarson Posted May 13, 2021 Report Posted May 13, 2021 Hi @Vinod Kumar Couldn't there be a "flightmode" or something in Enpass? Or would such feature have to small audience? Supplychain-attacks aren't going away and with more and more builtin connectivity the risks for such inevitably increases. I'm thinking that would shut most outbound requests off. Disclaimers of less functionality, the need for manual update-checks, no favicons etc.
Vinod Kumar Posted May 15, 2021 Report Posted May 15, 2021 Hi @Ivarson, I understand your concern, but having a setting in Enpass will not solve it. You can always restrict Enpass connectivity via a firewall. Cheers:)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now