PSA: critical security vulnerability in third-party pass-compatible software, "QtPass"

HacKan hackan at
Thu Jan 4 18:37:07 CET 2018

Well, any GUI could simply execute pass in the background... plain
simple. QtPass is more than GUI, it is a whole implementation.

On 01/04/2018 02:33 PM, Niklas Hambüchen wrote:
> Hello Jason, thanks for this announcement, I think it's effective and
> useful to broadcast that here.
> On 04/01/2018 17.35, Jason A. Donenfeld wrote:
>> All passwords generated with "QtPass"'s built-in password generator
> Would it be possible to have QtPass or any other GUIs of this kind have
> `pass` generate the passwords for them? That way, it would always use
> whatever method `pass` thinks is best for generating passwords.
> It would be really great if GUIs like that could really just be GUIs and
> delegate all cryptographically relevant operations to `pass`.
> To my knowledge, QtPass, beyond being compatible with pass, already has
> an option in the settings to use the `pass` executable for all storage
> operations. But it doesn't have an option to make `pass` generate the
> passwords.
> Does `pass` already have an interface that QtPass could use to let it
> generate passwords?
> The only info I I've found on this so far is in
> where the QtPass maintainer says:
> "
> I'm waiting for the upcoming release of pass which supports a plugin
> system and if I recall correctly a straight forward way to select a
> password generator too.
> "
> from February 2017.
> _______________________________________________
> Password-Store mailing list
> Password-Store at

HacKan || Iván
GPG: 0x35710D312FDE468B

More information about the Password-Store mailing list