Jump to content
MarkV

BUG [6.0.0 - 6.3.0]: Cannot turn off "Autosubmit Login" option

Recommended Posts

Due to a webserver peculiarities, I suppose, a website gives error "Error 500" (HTTP Web Server: Invalid URL Exception) when Enpass tries to auto fill login details:

https://www.crawfordeclaims.com/Websites/Website00_3/BroadspireCS_Webclaims.nsf/default.html

 

The issue is that I cannot turn off "Autosubmit Login". Enpass always submits login details irrespective whether this option in enabled or not.

Please fix.

Thank you.

Edited by MarkV

Share this post


Link to post
Share on other sites

Hello,

Is there any ETA on fix?

It certainly does not feel that turning on/off the "Autosubmit Login" option should be that complicated and requires a lot of time to fix.

Autologin.png

Share this post


Link to post
Share on other sites

Hi @MarkV

Sincere apologies that the issue took more time than expected. It's been resolved, and an update v6.1 with the fixes will be rolled out soon. We appreciate your patience.

Share this post


Link to post
Share on other sites

Despite statement that version 6.1.0 (390) fixes:

"A UI bug where enabling/disabling the checkbox of 'Autosubmit Login' in Enpass Browser settings didn't display the actual state"

This is not the case in my experience.

Enpass still appends autofill data to URL when I click website URL in Enpass and when 'Autosubmit Login' option is disabled:

https://www.crawfordeclaims.com/Websites/Website00_3/BroadspireCS_Webclaims.nsf/default.html?Enpass6AutoFill=[CENSORED]=

And consequently I still get the 'Error 500: HTTP Web Server: Invalid URL Exception' when I click the above URL in Enpass with 'Autosubmit Login' option disabled.

Edited by MarkV

Share this post


Link to post
Share on other sites

Version 6.1.1 is out and the bug is still not fixed.

Somehow this does not surprise me anymore... But I will keep complaining about the problem being ignored anyway.

 

On a related matter, the whole approach of appending autofill data to URL is wrong, i.e.: 

SOMEURL/default.html?Enpass6AutoFill=SOMELOGINDATA

You don't see 1Password appending anything to URL, and 1Password works perfectly, and 1Password has a great support.

Share this post


Link to post
Share on other sites

Hi @MarkV,

We are extremely sorry for the trouble you have been facing from a long time. 

The last revert to you regarding the confirmation of getting the issue fixed was actually a misunderstanding from our side. That fix was related to some other issue in the UI but not exactly what you have been asking for.

Coming to your point now. Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill, so we can't decide to append or not based on the autosubmit selection. That's a different thing. 

But what you're asking is also a niche but genuine requirement. We can fix it with a workaround like 'shift+click' on link to open that link without appending anything to URL. Is that OK for you if that goes this way?

Thanks.

Share this post


Link to post
Share on other sites

Hi Ankur!

Thanks for reply!

13 hours ago, Ankur Gupta said:

Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill

Well, 1Password, for example, does not do it.

But that is a bit off topic, so there is no need to discuss that.

13 hours ago, Ankur Gupta said:

But what you're asking is also a niche but genuine requirement. We can fix it with a workaround like 'shift+click' on link to open that link without appending anything to URL. Is that OK for you if that goes this way?

The way I understand it, I would not call it a matter of a "niche requirement", but rather "fixing an existing feature that does not work".

There is a box to check/un-check "Autosubmit Login" feature. The way I imagine it should work, is when the box is un-checked, and when I click a link to a website, then Enpass simply opens link in a web browser without appending login details to URL, right?

But if I'm wrong, please correct me.

Share this post


Link to post
Share on other sites

Hi @MarkV,

51 minutes ago, MarkV said:

There is a box to check/un-check "Autosubmit Login" feature. The way I imagine it should work, is when the box is un-checked, and when I click a link to a website, then Enpass simply opens link in a web browser without appending login details to URL, right?

Sorry to say but this checkbox doesn't function as you imagined. It is option to choose if login/sign-in button will be clicked automatically after filling username and password on webpage.

Thanks.

Share this post


Link to post
Share on other sites

Hi,

I'm evaluating several password managers, and Enpass made it to the short list. Although I haven't experienced an HTTP 500 error as MarkV described, I have some concerns regarding why it is necessary to append the data in the Enpass6AutoFill token to the query string of the URL. It wouldn't bother me at all if this data would only be accessible to the Enpass Browser extension(s), but a side effect of appending this data to the URL is that it is being sent to the server I'm logging into! The Enpass6AutoFill token looked to be Base64, so I decoded it. It looks to only contain UUID's identifying the records in the Enpass database related to the specific site I'm logging into. Not sure if a malicious or compromised web server could use this information; but regardless, sending any data to a server that is not absolutely necessary is bad security! 

On 11/19/2019 at 1:57 PM, Ankur Gupta said:

Coming to your point now. Actually Enpass has to append "Enpass6AutoFill=[CENSORED]=" in the URL as a message to extension to continue with autofill, so we can't decide to append or not based on the autosubmit selection. That's a different thing. 

If I open a new tab in Safari, type http://www.netflix.com without appending the Enpass6AutoFill token, click on the icon for the Enpass Safari extension, double-click on the Netflix entry in Enpass, the username and password is filled in perfectly fine! So I'm not convinced that the Enpass6AutoFill token is required in order for the Safari browser extension to work properly as Ankur Gupta suggests.

So before I purchase licensed copies of Enpass for all my devices, why is it absolutely necessary to append the EnpassAutoFill token to the query string of the URL when clicking on the links within the Enpass desktop app? Has the potential of this information being exploited in some way been considered? What measures have been taken to ensure this information cannot be exploited?

 

Edited by JakeC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...