Daniel-san Posted July 28, 2016 Report Share Posted July 28, 2016 So I made an account quickly to ask if the same thing also the issue with Enpass. Via Dutch website www.tweakers.net and on www.nu.nl newsarticles today have been published about Lastpass big privacy leaks. Apparently there were two and luckily Lastpass has fixed them both within a day, but is it the same with Enpass? Does the team even know about it and are they working on it to find out if the same is the case? Links here: https://tweakers.net/nieuws/114017/google-onderzoeker-vindt-op-afstand-te-gebruiken-lek-in-lastpass.html https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ https://twitter.com/taviso I see that the Enpass extension in Opera, Chrome, Vivaldi and Firefox haven't been updated since mid and end of May 2016, so that worries me. Link to comment Share on other sites More sharing options...
Hemant Kumar Posted July 28, 2016 Report Share Posted July 28, 2016 Hi @Daniel-san, Thanks for your message. I really appreciate your awareness about the security of your data. In one sentence, I can say that Enpass is not at all affected with this issue. 5 hours ago, Daniel-san said: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ This link states how the passwords from Lastpass were revealed to unknown websites due to logical bug in using regular expressions, while in Enpass we have used proper function provided in SDK to extract the hostname from URL. QString QUrl::host(ComponentFormattingOptions options = FullyDecoded); When you visit any webpage with the URL say http://www.example.com/login/, and click the Enpass extension icon or press the shortcut key for autofilling, the whole URL is passed to main Desktop App which by using the above function extracts the hostname as www.example.com, from which the domain name would be further extracted as example.com. Now the main Enpass App finds the all matching items for example.com and transmits its icon, Title and subtitle to Enpass-Helper (part of Enpass App and not extension). Enpass-Helper display this information to user and waits for user to select the item for autofilling. (This step is bypassed if the user has requested autofill using shortcut key and only single item exists matching for that domain). Upon selection, the information of selected item is passed from Enpass-Helper to Enpass app which further supplies the username and password to Enpass browser extension. All this communication is secure and happens on localhost about which you can read more here in our user manual. As you can see that most of the work is done in Enpass App itself rather than the extension and we keep updating our desktop App on regular basis, so you can confidently use Enpass and its browser extensions. If you still have any doubts, please feel free to share with us. Cheers and have fun with Enpass! Hemant 3 1 Link to comment Share on other sites More sharing options...
Recommended Posts