Does Pasteboard leaking mean that any app can see passwords that are entered?

https://www.mysk.blog/2020/02/24/precise-location-information-leaking-through-system-pasteboard/

First, does this mean when I copy and paste a password it is visible to every open application?

Second, what happens when I use the 1Password autofill prompts?

Third, how dangerous is this?

Separately, did you get hacked? My 1 Password says I need to change my password because you had some sort of breach - when & what happened, and how much risk/damage am I exposed to?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Does the iOS 1Password use copy and paste?

Comments

  • "A malicious app that actively monitors the pasteboard can store any content it finds in the pasteboard. Content ranges from contacts, photos, phone numbers, emails, IBAN bank information, URLs, PDFs of official documents, audio files, word documents, spreadsheets, to passwords. Users are always oblivious to what they might have left stored in the pasteboard. Sensitive data may reside unnoticed in the pasteboard for an extended period of time, making it vulnerable to such exploits."

  • BenBen AWS Team

    Team Member

    Hi @mjstarks

    I'd be happy to help with these concerns.

    Separately, did you get hacked? My 1 Password says I need to change my password because you had some sort of breach - when & what happened, and how much risk/damage am I exposed to?

    No; we were not hacked. You can read about the forum password reset situation here:

    Forum password reset

    Accounts for this support forum are entirely independent from your 1Password account / data and so even if there were a more significant problem it wouldn't affect 1Password.

    First, does this mean when I copy and paste a password it is visible to every open application?

    That is indeed the purpose of the clipboard. It wouldn't be a very valuable tool if that weren't true. :)

    Second, what happens when I use the 1Password autofill prompts?

    Autofill does not utilize the clipboard. Data passing through Apple's autofill feature is not available to applications other than the source app and the destination app.

    Third, how dangerous is this?

    I would argue that it really isn't, particularly if you're using secure unique passwords (which is one of the main points of using 1Password). Consider:

    1. Apple reviews and has to approve all apps and updates before they are made available on the App Store. They check for this kind of thing. If an app were submitted with code to monitor the clipboard for passwords they would very likely catch that and reject the app. This is one reason why it is important not to jailbreak your device - doing so circumvents those and other protections.
    2. If you're using secure unique passwords even if an app is monitoring the clipboard what would it gain to sniff these passwords from there? It still wouldn't have any context as to: if the text is even a password, what site/service it is for, etc.

    Obviously it wouldn't be ideal to have malware on your system monitoring your clipboard, for a lot of reasons beyond just passwords, but this isn't a reason to not use a password manager. If anything, it is all the more reason. :+1:

    Ben

  • Hi, can I comment on this please. When I am prompted to enter my Apple ID password (eg when purchasing a new app), it is usually in the form of a dialogue that has two buttons (enter and cancel). I cannot use 1Password to enter my credentials so I have to cancel and open 1Password, copy my Apple ID password then attempt the purchase again and paste it in. This works, but now my password is in plain text in the clipboard. Is there a safer way to do this?

  • BenBen AWS Team

    Team Member

    Hi @webweasel

    It would be great if in the future iOS would allow those dialogues to be filled by autofill, but at present time copying & pasting is seemingly the only solution. Drag & drop might be an option as well (iPad only), but split-view isn't available with the Settings app as far as I could find, so I wasn't able to find a spot to test that.

    Ben

  • webweaselwebweasel
    edited February 28

    Thanks Ben, I will file a feature request with Apple.

  • BenBen AWS Team

    Team Member

    :+1:

    Ben

  • FYI, in the news today about macOS apps that snoop on the pasteboard (clipboard):

    https://www.zdnet.com/article/these-popular-iphone-and-ipad-apps-are-snooping-on-data-copied-to-the-clipboard/

  • ag_anaag_ana

    Team Member

    Thank you for sharing this @angusl :+1: As my colleague Ben explained, if you use the Autofill feature, 1Password won't use the clipboard ;)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file