UdhayanithiG Posted June 15, 2021 Report Share Posted June 15, 2021 Hi I have recently read an article written by Tavis Ormandy, Link. So I'm curious to know that Enpass have these vulnerabilities or not?. Thanks Link to comment Share on other sites More sharing options...
UdhayanithiG Posted June 15, 2021 Author Report Share Posted June 15, 2021 Well, he is a vulnerability researcher at Google. Link to comment Share on other sites More sharing options...
Vinod Kumar Posted June 15, 2021 Report Share Posted June 15, 2021 Hi @UdhayanithiG, Thanks for raising the question. The short answer is NO. The article mostly discussed about autofill extension of online password managers which injects their UI/chrome into web page and interact with their server. This additional chrome can be exploited by clickjacking or exposed server endpoints can be accessed by additional scripts because they live in the same shared space i.e. the webpage. Here are few points how Enpass is immune to such attacks: 1. Enpass does inject only limited script to detect presence of forms that user may want to autofill. It does not inject any chrome/UI that can be clickjacked. The autofill UI is a separate process than the browser and immune to such attacks. 2. The connection between local application and browser extension is authenticated by user via manual pairing mechanism by user and communication is encrypted with a shared key which malicious scripts can't access. 3. Enpass, by default, requires user intervention before supplying any credential to webpage. In future, if Enpass introduce a feature that require additional UI injection in the webpage to increase user convenience that would certainly be inside the attack surface mentioned in the article. But be assured such a feature will be optional and you can keep Enpass extension in a configuration as it is today. Cheers:) 3 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now