Passwords and clipboard history

[vco1]

I have added my password manager of choice - SafeInCloud Password Manager - to the Ignore Apps list for clipboard history in Alfred. However, passwords and other data copied from SafeInCloud are still visible in the Alfred clipboard history. Strangely enough with a Firefox icon.

 

Am I missing something? Or is SafeInCloud Password Manager not using standard macOS calls for the clipboard?

[deanishe]

2 hours ago, vco1 said:

Strangely enough with a Firefox icon

 

Are you using SafeInCloud with Firefox and its Firefox extension?

[Vero]

@vco1 Welcome to the forum! Could you please fill in your Powerpack email address in your forum profile before asking Powerpack-related questions?

 

Cheers,
Vero

[vco1]

28 minutes ago, deanishe said:

 

Are you using SafeInCloud with Firefox and its Firefox extension?

Yes and no. I do have the Firefox extension installed. But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox. So the copy is initiated from the application that's in the exclusion list for the clipboard history.

[vco1]

20 minutes ago, Vero said:

@vco1 Welcome to the forum! Could you please fill in your Powerpack email address in your forum profile before asking Powerpack-related questions?

Although I like to keep these separate, I've updated my email address.

[deanishe]

26 minutes ago, vco1 said:

But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox.

 

Alfred does ignore the password when you copy it from SafeInCloud, but for some bizarre reason, Firefox changes the clipboard when you paste in it.

What it’s specifically doing is setting org.nspasteboard.AutoGeneratedType. For the life of me, I have no idea why it’s doing that, but technically Alfred should also ignore this text, as that’s one of the types clipboard history managers are supposed to ignore. Perhaps @Andrew can weigh in on this.

 

In any case, if SafeInCloud were doing what it's supposed to do and marking the password as concealed, Alfred would ignore it. So ultimately, it's a security bug in SafeInCloud.

Edited June 8, 2020 by deanishe

[Andrew]

@deanishe is spot on with his analysis of this.

 

Alfred has an option to ignore concealed types (in the Features > Clipboard > Advanced options), defaulted to ignore. I'll add a second option to also ignore AutoGeneratedType, defaulted to off in Alfred 4.1. As much as I don't like adding additional options for these types corner cases, I think in this case, I may have to. This behaviour has been unchanged for many years, and there may be people who want AutoGeneratedType in their clipboard 😕 

 

Cheers,

Andrew

[deanishe]

7 hours ago, Andrew said:

I may have to

 

Looks like it. I reported the issue to SafeInCloud, but the developer just replied, "The clipboard isn't secure, use autofill instead." So it doesn't look like he's going to do anything about it. Perhaps if you contacted him, he wouldn't just assume you're another idiot users, which many developers tend to do.

 

7 hours ago, Andrew said:

there may be people who want AutoGeneratedType in their clipboard

 

FWIW, I tested a couple of other clipboard history apps, and they ignore stuff tagged AutoGeneratedType.

Edited June 8, 2020 by deanishe

[Andrew]

53 minutes ago, deanishe said:

they ignore stuff tagged AutoGeneratedType

 

I'll default this to on then, people can always turn it off. Cheers for your help!

[vco1]

Thanks for all your help and investigations. Much appreciated.

 

I did some additional testing too, and it turns out that if I copy a password from SafeInCloud it doesn't get stored in the clipboard history (so that option in Alfred seems to work as expected). But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension.

 

So even if I don't use the Firefox extension but simply copy and paste, it still has an impact on the clipboard history. Perhaps that's in line with your findings. I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in.

[deanishe]

35 minutes ago, vco1 said:

But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension.

 

I found it happened regardless of whether the SafeInCloud extension was enabled or not. But it might well be another extension causing the same behaviour for me.

 

35 minutes ago, vco1 said:

I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in.

 

It’s for situations where an application is using the clipboard to achieve some other ends. The user didn’t explicitly copy anything and won’t expect to find new data on the clipboard. System-wide snippet expansion apps, for example, typically put the snippet on the clipboard, paste it, and then restore the previous clipboard contents. That would be an appropriate situation to set AutoGeneratedType, though I think most just use TransientType.

 

None of these flags are official, by the way, just conventions. They don't change the clipboard behaviour at all. It's up to individual apps to set and handle them appropriately.

 

I consider it a bad sign that SafeInCloud’s developer doesn’t care about setting the ConcealedType flag on passwords copied to the clipboard. That is the default way to tell clipboard history managers to ignore the data, and many of them will save your passwords on disk in plaintext because SafeInCloud isn’t telling them not to.

Edited June 9, 2020 by deanishe