Using Browser Extension - Auditing Concerns

[parrishk]

Hello,

 

I tried to see if this issue has already been brought up but did not find anything.

 

It has been brought to my attention, the following scenario:

A user browses a website, lets say "https://portal.office.com" where they have a password entry saved in their private password list. We also have a high number of shared passwords that have the same URL. When the user browses "https://portal.office.com" the auditing log shows that the user "retrieved password" for every password we have in the database using that URL.

 

I feel that this process should be revised (assuming it has not been yet as we have yet to update to the latest version). There shouldn't be an audit entry stating that the password was retrieved unless it was actually pulled and used.

Maybe pull a list of titles/usernames and audit that but not the actual password unless it is intended to be used by the end user. This fills up the auditing log and could cause for some confusion when a user is showing tons of password pulls when they did not intentionally do so.

 

Has anyone else run into this?

 

Thank you.

[support]

Hello,

 

Yes, we are aware of this issue and have fixed it for the next rounds of releases for broswer extensions. We did not want to release so late in the year, as these new extensions when they automatically update in your browser, will force you to also upgrade Passwordstate if you want to continue using the extensions - there is a dependency change in the API needed here.

 

So we will release these updates at the start of next year.

Regards

Click Studios