Jump to content
Enpass Discussion Forum

Lastpass leak - same with Enpass?


Daniel-san

Recommended Posts

So I made an account quickly to ask if the same thing also the issue with Enpass.

Via Dutch website www.tweakers.net and on www.nu.nl newsarticles today have been published about Lastpass big privacy leaks. Apparently there were two and luckily Lastpass has fixed them both within a day, but is it the same with Enpass? Does the team even know about it and are they working on it to find out if the same is the case?

 

Links here: https://tweakers.net/nieuws/114017/google-onderzoeker-vindt-op-afstand-te-gebruiken-lek-in-lastpass.html

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

https://twitter.com/taviso

 

I see that the Enpass extension in Opera, Chrome, Vivaldi and Firefox haven't been updated since mid and end of May 2016, so that worries me.

Link to comment
Share on other sites

Hi @Daniel-san,

Thanks for your message. I really appreciate your awareness about the security of your data.

In one sentence, I can say that Enpass is not at all affected with this issue.

5 hours ago, Daniel-san said:

This link states how the passwords from Lastpass were revealed to unknown websites due to logical bug in using regular expressions, while in Enpass we have used proper function provided in SDK to extract the hostname from URL.

QString QUrl::host(ComponentFormattingOptions options = FullyDecoded);

When you visit any webpage with the URL say http://www.example.com/login/, and click the Enpass extension icon or press the shortcut key for autofilling, the whole URL is passed to main Desktop App which by using the above function extracts the hostname as www.example.com, from which the domain name would be further extracted as example.com. Now the main Enpass App finds the all matching items for example.com and transmits its icon, Title and subtitle to Enpass-Helper (part of Enpass App and not extension). Enpass-Helper display this information to user and waits for user to select the item for autofilling. (This step is bypassed if the user has requested autofill using shortcut key and only single item exists matching for that domain). Upon selection, the information of selected item is passed from Enpass-Helper to Enpass app which further supplies the username and password to Enpass browser extension. All this communication is secure and happens on localhost about which you can read more here in our user manual.

As you can see that most of the work is done in Enpass App itself rather than the extension and we keep updating our desktop App on regular basis, so you can confidently use Enpass and its browser extensions.

If you still have any doubts, please feel free to share with us.

Cheers and have fun with Enpass!

Hemant

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...