Jump to content

Passwords and clipboard history


Recommended Posts

I have added my password manager of choice - SafeInCloud Password Manager - to the Ignore Apps list for clipboard history in Alfred. However, passwords and other data copied from SafeInCloud are still visible in the Alfred clipboard history. Strangely enough with a Firefox icon.

 

Am I missing something? Or is SafeInCloud Password Manager not using standard macOS calls for the clipboard?

Link to post
28 minutes ago, deanishe said:

 

Are you using SafeInCloud with Firefox and its Firefox extension?

Yes and no. I do have the Firefox extension installed. But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox. So the copy is initiated from the application that's in the exclusion list for the clipboard history.

Link to post
20 minutes ago, Vero said:

@vco1 Welcome to the forum! Could you please fill in your Powerpack email address in your forum profile before asking Powerpack-related questions?

Although I like to keep these separate, I've updated my email address.

Link to post
Posted (edited)
26 minutes ago, vco1 said:

But the behavior I'm describing happens when I copy a password directly from SafeInCloud and paste it into Firefox.

 

Alfred does ignore the password when you copy it from SafeInCloud, but for some bizarre reason, Firefox changes the clipboard when you paste in it.


What it’s specifically doing is setting org.nspasteboard.AutoGeneratedType. For the life of me, I have no idea why it’s doing that, but technically Alfred should also ignore this text, as that’s one of the types clipboard history managers are supposed to ignore. Perhaps @Andrew can weigh in on this.

 

In any case, if SafeInCloud were doing what it's supposed to do and marking the password as concealed, Alfred would ignore it. So ultimately, it's a security bug in SafeInCloud.

Edited by deanishe
Link to post

@deanishe is spot on with his analysis of this.

 

Alfred has an option to ignore concealed types (in the Features > Clipboard > Advanced options), defaulted to ignore. I'll add a second option to also ignore AutoGeneratedType, defaulted to off in Alfred 4.1. As much as I don't like adding additional options for these types corner cases, I think in this case, I may have to. This behaviour has been unchanged for many years, and there may be people who want AutoGeneratedType in their clipboard 😕 

 

Cheers,

Andrew

Link to post
Posted (edited)
7 hours ago, Andrew said:

I may have to

 

Looks like it. I reported the issue to SafeInCloud, but the developer just replied, "The clipboard isn't secure, use autofill instead." So it doesn't look like he's going to do anything about it. Perhaps if you contacted him, he wouldn't just assume you're another idiot users, which many developers tend to do.

 

7 hours ago, Andrew said:

there may be people who want AutoGeneratedType in their clipboard

 

FWIW, I tested a couple of other clipboard history apps, and they ignore stuff tagged AutoGeneratedType.

Edited by deanishe
Link to post

Thanks for all your help and investigations. Much appreciated.

 

I did some additional testing too, and it turns out that if I copy a password from SafeInCloud it doesn't get stored in the clipboard history (so that option in Alfred seems to work as expected). But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension.

 

So even if I don't use the Firefox extension but simply copy and paste, it still has an impact on the clipboard history. Perhaps that's in line with your findings. I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in.

Link to post
Posted (edited)
35 minutes ago, vco1 said:

But as soon as I paste it in Firefox it does. This behaviour disappears though if I disable the SafeInCloud Firefox add-on/extension.

 

I found it happened regardless of whether the SafeInCloud extension was enabled or not. But it might well be another extension causing the same behaviour for me.

 

35 minutes ago, vco1 said:

I'm not too familiar with the details of the AutoGeneratedType flag and how/where it kicks in.

 

It’s for situations where an application is using the clipboard to achieve some other ends. The user didn’t explicitly copy anything and won’t expect to find new data on the clipboard. System-wide snippet expansion apps, for example, typically put the snippet on the clipboard, paste it, and then restore the previous clipboard contents. That would be an appropriate situation to set AutoGeneratedType, though I think most just use TransientType.

 

None of these flags are official, by the way, just conventions. They don't change the clipboard behaviour at all. It's up to individual apps to set and handle them appropriately.

 

I consider it a bad sign that SafeInCloud’s developer doesn’t care about setting the ConcealedType flag on passwords copied to the clipboard. That is the default way to tell clipboard history managers to ignore the data, and many of them will save your passwords on disk in plaintext because SafeInCloud isn’t telling them not to.

Edited by deanishe
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...