PSA: critical security vulnerability in third-party pass-compatible software, "QtPass"

Niklas Hambüchen mail at
Thu Jan 4 18:46:43 CET 2018

On 04/01/2018 18.37, HacKan wrote:
> Well, any GUI could simply execute pass in the background... plain
> simple. QtPass is more than GUI, it is a whole implementation.

As I mentioned in the previous email, QtPass can be run in a mode where
it is not an implementation, but executes pass.
However, not yet for password generation.

I imagine for password generation, just shelling out to `pass generate`
won't do. Instead, something like `pass generate --no-save` will be
needed, that makes pass generate a password but not insert it into the
pass store.

This is so that the password can be inserted into QtPass's password
field in the GUI form, so that the user can pre-view it, and potentially
modify it according to whatever might be extra restrictions of the
system that needs to accept this password. For example, a common
workflow can be:

* User clicks "Generate" in the GUI's "New Password" form
* "Password" field in the form gets pre-filled by a password generated
by `pass`
* User copies the password to register to a web site
* Web site rejects the password, claiming that it must contain at least
one special character
* User appends a '!' to their generated password
* User copies the updated password to the website, which accepts it
* User clicks "Save" in the form in the GUI
* GUI calls `pass insert`

More information about the Password-Store mailing list