search

pfn / keepasshttp

KeePass plugin to expose password entries securely (256bit AES/CBC) over HTTP
GNU General Public License v3.0
2k stars 275 forks source link

Security Flaw #362

Open tinnted opened 6 years ago

tinnted commented 6 years ago

Using KeepassHelper extension in opera and firefox and sending "about:home" which is actually mozilla home page url returns all the passwords from database. All the setting are in default and the worst thing is i dont give permission to any entries, i like to have prompt every time i need a password but it does nothing in this case.

pfn commented 6 years ago

This sounds impossible. Unless this is a new feature to render passwords on the home page

On Sun, Jun 17, 2018, 4:08 AM tinnted notifications@github.com wrote:

Using KeepassHelper extension in opera and firefox and sending "about:home" which is actually mozilla home page url returns all the passwords from database. All the setting are in default and the worst thing is i dont give permission to any entries, i like to have prompt every time i need a password but it does nothing in this case.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pfn/keepasshttp/issues/362, or mute the thread https://github.com/notifications/unsubscribe-auth/AAfQxdHm5GmXlGwhRT-vuTOsM0T_E_EWks5t9jiagaJpZM4Uqy4P .

tinnted commented 6 years ago

should i attach a screen-shot ? i will also try it in ubuntu and see if the same happens or will try to see if there are any other extensions that use keepasshttp gateway and see if they do the same

pfn commented 6 years ago

I suppose, but the likely case is that theres something installed that is somehow requesting the password list function.

On Mon, Jun 18, 2018, 1:03 PM tinnted notifications@github.com wrote:

should i attach a screen-shot ? i will also try it in ubuntu and see if the same happens or will try to see if there are any other extensions that use keepasshttp gateway and see if they do the same

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pfn/keepasshttp/issues/362#issuecomment-398177717, or mute the thread https://github.com/notifications/unsubscribe-auth/AAfQxbe-PG5WaxPWN3Hs66dGuLnbCGEtks5t-AeWgaJpZM4Uqy4P .

m-a-y-k commented 5 years ago

@tinnted I agree, that one must allow each and every access to passwords. From the homepage I understand "user can allow or deny access to single entries" as a promise. @pfn However, I found a reproducible way to bypass the "Confirm Access" dialog. Please establish a private channel where we can rectify this.