PSA: critical security vulnerability in third-party pass-compatible software, "QtPass"
HacKan
hackan at gmail.com
Thu Jan 4 18:37:07 CET 2018
Well, any GUI could simply execute pass in the background... plain
simple. QtPass is more than GUI, it is a whole implementation.
On 01/04/2018 02:33 PM, Niklas Hambüchen wrote:
> Hello Jason, thanks for this announcement, I think it's effective and
> useful to broadcast that here.
>
> On 04/01/2018 17.35, Jason A. Donenfeld wrote:
>> All passwords generated with "QtPass"'s built-in password generator
> Would it be possible to have QtPass or any other GUIs of this kind have
> `pass` generate the passwords for them? That way, it would always use
> whatever method `pass` thinks is best for generating passwords.
>
> It would be really great if GUIs like that could really just be GUIs and
> delegate all cryptographically relevant operations to `pass`.
>
> To my knowledge, QtPass, beyond being compatible with pass, already has
> an option in the settings to use the `pass` executable for all storage
> operations. But it doesn't have an option to make `pass` generate the
> passwords.
>
> Does `pass` already have an interface that QtPass could use to let it
> generate passwords?
>
> The only info I I've found on this so far is in
> https://github.com/IJHack/QtPass/issues/296#issuecomment-281176510,
> where the QtPass maintainer says:
>
> "
> I'm waiting for the upcoming release of pass which supports a plugin
> system and if I recall correctly a straight forward way to select a
> password generator too.
> "
>
> from February 2017.
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
--
HacKan || Iván
GPG: 0x35710D312FDE468B
More information about the Password-Store
mailing list