Skip to content
View in the app

A better way to browse. Learn more.
Enpass Discussion Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
We’re on Reddit now, Come and join us there!!

Is there are backdoor in Enpass with OneDrive Sync?

MOM20xx
in Cloud Sync

Featured Replies

Hi,

I'm wondering why Enpass Folder on Onedrive is shared. On my Mac i see

image.thumb.png.25f89fcd74425d96ea80b7467c305845.png

 

What is i:0i.t|ms.sp.ext|00000000-0000-0000-0000-0000442bb943@9188040d-6c67-4c5b-b112-36a304b66dad? My girlfriend has the same entry in your onedrive for enpass folder

 

  • Author

ok this seems to be enpass itself according to the following screenshot. 

image.thumb.png.c3cc206be671fe7d4733f88f80f7378e.png

is this correct?

 

and 9188040d-6c67-4c5b-b112-36a304b66dad is the microsoft tenant for microsoft personal accounts

This is part of the sync process for Enpass on OneDrive. If multiple users have access to the same Enpass folder, they will be able to view the same entries across both of your OneDrive accounts.

  • 3 weeks later...

Microsoft uses tokens for everything, so if you change your account passwort or email address, apps and services won't loose the connection.

  • 3 months later...
Quote

If multiple users have access to the same Enpass folder, they will be able to view the same entries across both of your OneDrive accounts.

Hi, I'm not sure to understand how it's working:

  1. this sharing configuration seems mandatory although I share with nobody (and I don't want to share it)
  2. the way the sharing is created is strange: you cannot edit it and onedrive is failing to change the sharing options (lire remove or edit)

Sharing is not mandatory, and if it were, you couldn't say that you share with nobody. If you did share the Enpass folder with another real user (which I wouldn't recommend), then of course that user would be able to access your vault's data, but would still need the master password to see the contents.

However, what we're talking about here is not a real share, but the side-effect of a security feature. Like almost every other app accessing an account at any service, Enpass uses a so called OAuth token to do so. This way it doesn't have to store your username and password and also can do only the things on the account that it was authorized for. It seems that Microsoft uses some type of ghost user to provide that token, and this ghost user erroneously shows up in the sharing screen of the OneDrive app. This might be confusing but is nothing to worry about. It's a mere oversight of some OneDrive app developer in the process of fetching and displaying the folder's access rights, which also explains why the app isn't able to tamper with it and why you shouldn't try to do so.

Edited by Bachsau

Create an account or sign in to comment
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.