vco1 Posted June 8, 2020 Share Posted June 8, 2020 I have added my password manager of choice - SafeInCloud Password Manager - to the Ignore Apps list for clipboard history in Alfred. However, passwords and other data copied from SafeInCloud are still visible in the Alfred clipboard history. Strangely enough with a Firefox icon. Am I missing something? Or is SafeInCloud Password Manager not using standard macOS calls for the clipboard? Link to comment
deanishe Posted June 8, 2020 Share Posted June 8, 2020 2 hours ago, vco1 said: Strangely enough with a Firefox icon Are you using SafeInCloud with Firefox and its Firefox extension? Link to comment
Vero Posted June 8, 2020 Share Posted June 8, 2020 @vco1 Welcome to the forum! Could you please fill in your Powerpack email address in your forum profile before asking Powerpack-related questions? Cheers, Vero Link to comment
vco1 Posted June 8, 2020 Author Share Posted June 8, 2020 28 minutes ago, deanishe said: Are you using SafeInCloud with Firefox and its Firefox extension? Yes and no. I do have the Firefox extension installed. But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox. So the copy is initiated from the application that's in the exclusion list for the clipboard history. Link to comment
vco1 Posted June 8, 2020 Author Share Posted June 8, 2020 20 minutes ago, Vero said: @vco1 Welcome to the forum! Could you please fill in your Powerpack email address in your forum profile before asking Powerpack-related questions? Although I like to keep these separate, I've updated my email address. Link to comment
deanishe Posted June 8, 2020 Share Posted June 8, 2020 (edited) 26 minutes ago, vco1 said: But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox. Alfred does ignore the password when you copy it from SafeInCloud, but for some bizarre reason, Firefox changes the clipboard when you paste in it. What it’s specifically doing is setting org.nspasteboard.AutoGeneratedType. For the life of me, I have no idea why it’s doing that, but technically Alfred should also ignore this text, as that’s one of the types clipboard history managers are supposed to ignore. Perhaps @Andrew can weigh in on this. In any case, if SafeInCloud were doing what it's supposed to do and marking the password as concealed, Alfred would ignore it. So ultimately, it's a security bug in SafeInCloud. Edited June 8, 2020 by deanishe Link to comment
Andrew Posted June 8, 2020 Share Posted June 8, 2020 @deanishe is spot on with his analysis of this. Alfred has an option to ignore concealed types (in the Features > Clipboard > Advanced options), defaulted to ignore. I'll add a second option to also ignore AutoGeneratedType, defaulted to off in Alfred 4.1. As much as I don't like adding additional options for these types corner cases, I think in this case, I may have to. This behaviour has been unchanged for many years, and there may be people who want AutoGeneratedType in their clipboard 😕 Cheers, Andrew Link to comment
deanishe Posted June 8, 2020 Share Posted June 8, 2020 (edited) 7 hours ago, Andrew said: I may have to Looks like it. I reported the issue to SafeInCloud, but the developer just replied, "The clipboard isn't secure, use autofill instead." So it doesn't look like he's going to do anything about it. Perhaps if you contacted him, he wouldn't just assume you're another idiot users, which many developers tend to do. 7 hours ago, Andrew said: there may be people who want AutoGeneratedType in their clipboard FWIW, I tested a couple of other clipboard history apps, and they ignore stuff tagged AutoGeneratedType. Edited June 8, 2020 by deanishe Link to comment
Andrew Posted June 8, 2020 Share Posted June 8, 2020 53 minutes ago, deanishe said: they ignore stuff tagged AutoGeneratedType I'll default this to on then, people can always turn it off. Cheers for your help! Link to comment
vco1 Posted June 9, 2020 Author Share Posted June 9, 2020 Thanks for all your help and investigations. Much appreciated. I did some additional testing too, and it turns out that if I copy a password from SafeInCloud it doesn't get stored in the clipboard history (so that option in Alfred seems to work as expected). But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension. So even if I don't use the Firefox extension but simply copy and paste, it still has an impact on the clipboard history. Perhaps that's in line with your findings. I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in. Link to comment
deanishe Posted June 9, 2020 Share Posted June 9, 2020 (edited) 35 minutes ago, vco1 said: But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension. I found it happened regardless of whether the SafeInCloud extension was enabled or not. But it might well be another extension causing the same behaviour for me. 35 minutes ago, vco1 said: I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in. It’s for situations where an application is using the clipboard to achieve some other ends. The user didn’t explicitly copy anything and won’t expect to find new data on the clipboard. System-wide snippet expansion apps, for example, typically put the snippet on the clipboard, paste it, and then restore the previous clipboard contents. That would be an appropriate situation to set AutoGeneratedType, though I think most just use TransientType. None of these flags are official, by the way, just conventions. They don't change the clipboard behaviour at all. It's up to individual apps to set and handle them appropriately. I consider it a bad sign that SafeInCloud’s developer doesn’t care about setting the ConcealedType flag on passwords copied to the clipboard. That is the default way to tell clipboard history managers to ignore the data, and many of them will save your passwords on disk in plaintext because SafeInCloud isn’t telling them not to. Edited June 9, 2020 by deanishe Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now