You can find the source code for Proton Pass here:
All issues reported in the security audit have been resolved except for the medium severity issue PRO-01-003 WP1, which unfortunately cannot be resolved at this time due to a platform limitation in Android (the Android operating system doesn’t currently provide the information that would be required to solve this issue). You can read the Proton Pass audit report(new window) for yourself. You can also find the audit reports for all Proton services.
The Android vulnerability is interesting, something to keep an eye on.
It’s the same reason why you shouldn’t enable autofill in any password manager, Bitwarden has autofill disabled as default because of interaction with untrusted iframes.
I think it’s pro-01-004 wp3, it says items are not cleared from memory, even if the pin is used.
The auditor confirmed the issue was fixed, and the Reddit post said it would be fixed in the next version.
I think you’re right.
It seems they only checked Chrome extension, though.
Btw, from the reddit post. WOW!
I did not see the sam behavior with other popular password managers like 1Password. They only hold the master password in memory
You need to keep the master key in memory when the manager is unlocked, there is no reason to keep the unencrypted passwords in memory. Seeing how the master key already is in memory, it doesn’t make a huge difference, but they could get swapped to disk.
Anyone that is able to scan the memory for the password or master key either has remote or local admin access to the system, and they would be able to install rootkits or similar malware.
Just tested Proton Pass. You log in once, than unlock it with a pin. Could that be to protect the master password somehow?