MarkV Posted February 4, 2019 Report Share Posted February 4, 2019 (edited) Due to a webserver peculiarities, I suppose, a website gives error "Error 500" (HTTP Web Server: Invalid URL Exception) when Enpass tries to auto fill login details: https://www.crawfordeclaims.com/Websites/Website00_3/BroadspireCS_Webclaims.nsf/default.html The issue is that I cannot turn off "Autosubmit Login". Enpass always submits login details irrespective whether this option in enabled or not. Please fix. Thank you. Edited November 19, 2019 by MarkV Link to comment Share on other sites More sharing options...
Anshu kumar Posted February 5, 2019 Report Share Posted February 5, 2019 Hey @MarkV, Thanks for reporting this issue. I have noted it down and forwarded to the dev team to look into it. Till then we request you to please co-operate with us. Link to comment Share on other sites More sharing options...
MarkV Posted March 26, 2019 Author Report Share Posted March 26, 2019 Hello, Is there any ETA on fix? It certainly does not feel that turning on/off the "Autosubmit Login" option should be that complicated and requires a lot of time to fix. Link to comment Share on other sites More sharing options...
MarkV Posted April 1, 2019 Author Report Share Posted April 1, 2019 Hurray! Enpass 7.0.1 was released and the bug was squashed! Link to comment Share on other sites More sharing options...
Guest Vikram Dabas Posted April 5, 2019 Report Share Posted April 5, 2019 Hi @MarkV Sincere apologies that the issue took more time than expected. It's been resolved, and an update v6.1 with the fixes will be rolled out soon. We appreciate your patience. Link to comment Share on other sites More sharing options...
MarkV Posted May 28, 2019 Author Report Share Posted May 28, 2019 (edited) Despite statement that version 6.1.0 (390) fixes: "A UI bug where enabling/disabling the checkbox of 'Autosubmit Login' in Enpass Browser settings didn't display the actual state" This is not the case in my experience. Enpass still appends autofill data to URL when I click website URL in Enpass and when 'Autosubmit Login' option is disabled: https://www.crawfordeclaims.com/Websites/Website00_3/BroadspireCS_Webclaims.nsf/default.html?Enpass6AutoFill=[CENSORED]= And consequently I still get the 'Error 500: HTTP Web Server: Invalid URL Exception' when I click the above URL in Enpass with 'Autosubmit Login' option disabled. Edited May 28, 2019 by MarkV Link to comment Share on other sites More sharing options...
MarkV Posted July 11, 2019 Author Report Share Posted July 11, 2019 Version 6.1.1 is out and the bug is still not fixed. Somehow this does not surprise me anymore... But I will keep complaining about the problem being ignored anyway. On a related matter, the whole approach of appending autofill data to URL is wrong, i.e.: SOMEURL/default.html?Enpass6AutoFill=SOMELOGINDATA You don't see 1Password appending anything to URL, and 1Password works perfectly, and 1Password has a great support. Link to comment Share on other sites More sharing options...
MarkV Posted July 19, 2019 Author Report Share Posted July 19, 2019 Version 6.1.2 is out and the bug is still not fixed. Link to comment Share on other sites More sharing options...
MarkV Posted September 23, 2019 Author Report Share Posted September 23, 2019 Enpass 6.1.3 is out. "Autosubmit Login" option's on/off switch still does not function. Link to comment Share on other sites More sharing options...
MarkV Posted September 27, 2019 Author Report Share Posted September 27, 2019 Enpass 6.2.0 is out. "Autosubmit Login" option's on/off switch still does not function. Link to comment Share on other sites More sharing options...
MarkV Posted November 19, 2019 Author Report Share Posted November 19, 2019 Enpass 6.3.0 is out. Issue that was reported 288 days ago is still not fixed. Link to comment Share on other sites More sharing options...
Ankur Gupta Posted November 19, 2019 Report Share Posted November 19, 2019 Hi @MarkV, We are extremely sorry for the trouble you have been facing from a long time. The last revert to you regarding the confirmation of getting the issue fixed was actually a misunderstanding from our side. That fix was related to some other issue in the UI but not exactly what you have been asking for. Coming to your point now. Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill, so we can't decide to append or not based on the autosubmit selection. That's a different thing. But what you're asking is also a niche but genuine requirement. We can fix it with a workaround like 'shift+click' on link to open that link without appending anything to URL. Is that OK for you if that goes this way? Thanks. Link to comment Share on other sites More sharing options...
MarkV Posted November 20, 2019 Author Report Share Posted November 20, 2019 Hi Ankur! Thanks for reply! 13 hours ago, Ankur Gupta said: Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill Well, 1Password, for example, does not do it. But that is a bit off topic, so there is no need to discuss that. 13 hours ago, Ankur Gupta said: But what you're asking is also a niche but genuine requirement. We can fix it with a workaround like 'shift+click' on link to open that link without appending anything to URL. Is that OK for you if that goes this way? The way I understand it, I would not call it a matter of a "niche requirement", but rather "fixing an existing feature that does not work". There is a box to check/un-check "Autosubmit Login" feature. The way I imagine it should work, is when the box is un-checked, and when I click a link to a website, then Enpass simply opens link in a web browser without appending login details to URL, right? But if I'm wrong, please correct me. Link to comment Share on other sites More sharing options...
Ankur Gupta Posted November 20, 2019 Report Share Posted November 20, 2019 Hi @MarkV, 51 minutes ago, MarkV said: There is a box to check/un-check "Autosubmit Login" feature. The way I imagine it should work, is when the box is un-checked, and when I click a link to a website, then Enpass simply opens link in a web browser without appending login details to URL, right? Sorry to say but this checkbox doesn't function as you imagined. It is option to choose if login/sign-in button will be clicked automatically after filling username and password on webpage. Thanks. Link to comment Share on other sites More sharing options...
JakeC Posted December 9, 2019 Report Share Posted December 9, 2019 (edited) Hi, I'm evaluating several password managers, and Enpass made it to the short list. Although I haven't experienced an HTTP 500 error as MarkV described, I have some concerns regarding why it is necessary to append the data in the Enpass6AutoFill token to the query string of the URL. It wouldn't bother me at all if this data would only be accessible to the Enpass Browser extension(s), but a side effect of appending this data to the URL is that it is being sent to the server I'm logging into! The Enpass6AutoFill token looked to be Base64, so I decoded it. It looks to only contain UUID's identifying the records in the Enpass database related to the specific site I'm logging into. Not sure if a malicious or compromised web server could use this information; but regardless, sending any data to a server that is not absolutely necessary is bad security! On 11/19/2019 at 1:57 PM, Ankur Gupta said: Coming to your point now. Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill, so we can't decide to append or not based on the autosubmit selection. That's a different thing. If I open a new tab in Safari, type http://www.netflix.com without appending the Enpass6AutoFill token, click on the icon for the Enpass Safari extension, double-click on the Netflix entry in Enpass, the username and password is filled in perfectly fine! So I'm not convinced that the Enpass6AutoFill token is required in order for the Safari browser extension to work properly as Ankur Gupta suggests. So before I purchase licensed copies of Enpass for all my devices, why is it absolutely necessary to append the EnpassAutoFill token to the query string of the URL when clicking on the links within the Enpass desktop app? Has the potential of this information being exploited in some way been considered? What measures have been taken to ensure this information cannot be exploited? Edited December 9, 2019 by JakeC Link to comment Share on other sites More sharing options...
Recommended Posts