Tavis Ormandy About Password Manager

[UdhayanithiG]

Hi

I have recently read an article written by Tavis Ormandy, Link. So I'm curious to know that Enpass have these vulnerabilities or not?. 

 

Thanks

[UdhayanithiG]

Well, he is a vulnerability researcher at Google.

[Vinod Kumar]

Hi @UdhayanithiG,

Thanks for raising the question. The short answer is NO.

The article mostly discussed about autofill extension of online password managers which injects their UI/chrome into web page and interact with their server. This additional chrome can be exploited by clickjacking or exposed server endpoints can be accessed by additional scripts because they live in the same shared space i.e. the webpage. Here are few points how Enpass is immune to such attacks:

1. Enpass does inject only limited script to detect presence of forms that user may want to autofill. It does not inject any chrome/UI that can be clickjacked. The autofill UI is a separate process than the browser and immune to such attacks.

2. The connection between local application and browser extension is authenticated by user via manual pairing mechanism by user and communication is encrypted with a shared key which malicious scripts can't access.

3. Enpass, by default, requires user intervention before supplying any credential to webpage.

In future, if Enpass introduce a feature that require additional UI injection in the webpage to increase user convenience that would certainly be inside the attack surface mentioned in the article. But be assured such a feature will be optional and you can keep Enpass extension in a configuration as it is today.

Cheers:)