Does Pasteboard leaking mean that any app can see passwords that are entered?

mjstarks
mjstarks
Community Member

https://www.mysk.blog/2020/02/24/precise-location-information-leaking-through-system-pasteboard/

First, does this mean when I copy and paste a password it is visible to every open application?

Second, what happens when I use the 1Password autofill prompts?

Third, how dangerous is this?

Separately, did you get hacked? My 1 Password says I need to change my password because you had some sort of breach - when & what happened, and how much risk/damage am I exposed to?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Does the iOS 1Password use copy and paste?

Comments

  • mjstarks
    mjstarks
    Community Member

    "A malicious app that actively monitors the pasteboard can store any content it finds in the pasteboard. Content ranges from contacts, photos, phone numbers, emails, IBAN bank information, URLs, PDFs of official documents, audio files, word documents, spreadsheets, to passwords. Users are always oblivious to what they might have left stored in the pasteboard. Sensitive data may reside unnoticed in the pasteboard for an extended period of time, making it vulnerable to such exploits."

  • Hi @mjstarks

    I'd be happy to help with these concerns.

    Separately, did you get hacked? My 1 Password says I need to change my password because you had some sort of breach - when & what happened, and how much risk/damage am I exposed to?

    No; we were not hacked. You can read about the forum password reset situation here:

    Forum password reset

    Accounts for this support forum are entirely independent from your 1Password account / data and so even if there were a more significant problem it wouldn't affect 1Password.

    First, does this mean when I copy and paste a password it is visible to every open application?

    That is indeed the purpose of the clipboard. It wouldn't be a very valuable tool if that weren't true. :)

    Second, what happens when I use the 1Password autofill prompts?

    Autofill does not utilize the clipboard. Data passing through Apple's autofill feature is not available to applications other than the source app and the destination app.

    Third, how dangerous is this?

    I would argue that it really isn't, particularly if you're using secure unique passwords (which is one of the main points of using 1Password). Consider:

    1. Apple reviews and has to approve all apps and updates before they are made available on the App Store. They check for this kind of thing. If an app were submitted with code to monitor the clipboard for passwords they would very likely catch that and reject the app. This is one reason why it is important not to jailbreak your device - doing so circumvents those and other protections.
    2. If you're using secure unique passwords even if an app is monitoring the clipboard what would it gain to sniff these passwords from there? It still wouldn't have any context as to: if the text is even a password, what site/service it is for, etc.

    Obviously it wouldn't be ideal to have malware on your system monitoring your clipboard, for a lot of reasons beyond just passwords, but this isn't a reason to not use a password manager. If anything, it is all the more reason. :+1:

    Ben

  • webweasel
    webweasel
    Community Member

    Hi, can I comment on this please. When I am prompted to enter my Apple ID password (eg when purchasing a new app), it is usually in the form of a dialogue that has two buttons (enter and cancel). I cannot use 1Password to enter my credentials so I have to cancel and open 1Password, copy my Apple ID password then attempt the purchase again and paste it in. This works, but now my password is in plain text in the clipboard. Is there a safer way to do this?

  • Hi @webweasel

    It would be great if in the future iOS would allow those dialogues to be filled by autofill, but at present time copying & pasting is seemingly the only solution. Drag & drop might be an option as well (iPad only), but split-view isn't available with the Settings app as far as I could find, so I wasn't able to find a spot to test that.

    Ben

  • webweasel
    webweasel
    Community Member
    edited February 2020

    Thanks Ben, I will file a feature request with Apple.

  • :+1:

    Ben

  • angusl
    angusl
    Community Member

    FYI, in the news today about macOS apps that snoop on the pasteboard (clipboard):

    https://www.zdnet.com/article/these-popular-iphone-and-ipad-apps-are-snooping-on-data-copied-to-the-clipboard/

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for sharing this @angusl :+1: As my colleague Ben explained, if you use the Autofill feature, 1Password won't use the clipboard ;)

  • 1PWguy
    1PWguy
    Community Member

    @ag_ana This has been a big concern of mine the last few days as I have copied passwords to the clipboard on all platforms over the last year without realizing this. What about those sites/apps where autofill is not available? I'm trying to avoid manually typing in 40-50 random character passwords every time. Is drag and drop anymore secure or does it also use the clipboard?

    Is it not possible for 1PW to encrypt/decrypt text on the clipboard upon copy/paste itself? This would be ideal.

    Also, when saving a PW for the first time (registering on a new site), the option when saving is "save and copy." So our new PWs are automatically placed on the clipboard as soon as they are created.

    I'm having trouble understanding why I should not be concerned about this?

  • ag_ana
    ag_ana
    1Password Alumni

    @1PWguy:

    I'm having trouble understanding why I should not be concerned about this?

    I think it's because a password by itself is useless. As Ben wrote in his post above:

    If you're using secure unique passwords even if an app is monitoring the clipboard what would it gain to sniff these passwords from there? It still wouldn't have any context as to: if the text is even a password, what site/service it is for, etc.

    As to your other question:

    Is it not possible for 1PW to encrypt/decrypt text on the clipboard upon copy/paste itself? This would be ideal.

    I am not a developer, so am not able to give you an answer, but my understanding was that the clipboard is managed by the operating system. So when you use it, it will store whatever it is that you selected on your screen, in that format.

  • DanielP
    DanielP
    1Password Alumni

    @1PWguy:

    Is it not possible for 1PW to encrypt/decrypt text on the clipboard upon copy/paste itself? This would be ideal.

    Assuming for a moment that this is even feasible, I think this would make the situation worse from a security point of view, actually. With what encryption/decryption keys would we do this? The immediate answer is "the same ones that are used for your 1Password data", but how do you then access them when the clipboard is involved? The only two ways I can think of to make this work from a security perspective are by either asking you to enter your Master Password every time you use the clipboard inside 1Password, or (if you want to make the process more transparent, like a clipboard usually behaves) by storing your encryption/decryption keys in plaintext on your system. Both of these solutions are unacceptable in my opinion.

    Not to mention: even if this were feasible, how would the clipboard know when you are copying something sensitive to it, which therefore would require encryption and decryption? And where would we draw the line exactly? You could say that only passwords copied to the clipboard would require this, but you could also argue that email addresses should get the same treatment. So I also see several user experience issues here.

    The truth is that the clipboard is an "open" feature, intentionally: its purpose is to share information between places. This makes it inherently vulnerable to certain types of attack: 1Password mitigates this risk by not using the clipboard whenever possible, but the clipboard is a system-wide feature that cannot be avoided, and we are aware of that.

    In this specific case, however, it's exactly the lack of context that makes the impact of this issue lower. I could send you one of my 50+ character passwords, but its usefulness to you as an attacker would be very limited (if not null) if all you had was the password itself. In order to do anything with it, you need a lot more information, such as the website, the username or email address connected to it, whether it's even a password in the first place or, semantically, just regular text, 2FA codes in case you have 2FA enabled for this account etc.

    ===
    Daniel
    1Password Security Team

  • 1PWguy
    1PWguy
    Community Member

    Thanks for the responses. I don't mean to sound a bit paranoid, but the clipboard issue seems to be a major security risk. I've gone through great lengths to store highly sensitive data through storage systems that encrypt before transfer, data that is highly valuable and could be the difference between life and death for some people. It terrifies me that the only thing that may have protected that data is the 2FA I had set up, given I likely pasted the password onto the clipboard.

    TBH, the response that passwords by themselves are useless is ridiculous. There are virtually an unlimited number of combinations for a lengthy random PW. By comparison, there are far fewer website that require PWs. It's far easier to match a website to a PW than vice versa. I'm looking for a way to prevent a PW from being exposed through the clipboard. Seems my only option is change all my 40+ random passwords to 15-20 random characters and type them out manually rather than copy.

  • And then what would you do about key loggers, which are perhaps equally likely as clipboard sniffing? Sounds like a case of robbing Peter to pay Paul.
    The key is to not install untrusted software which might do such things on your devices. Only install from reputable sources, like the App Store or directly from vendors who have been vetted. Don't jailbreak your devices. If you don't have malware on your system then what is on the clipboard is of much less concern. The clipboard is a valuable tool. I wouldn't dismiss it entirely because of one incredibly narrow attack vector. The likelihood of an iOS app getting past Apple's review process while doing something nefarious like sniffing the clipboard for passwords seems slim, and then that app would also have to end up on your device.

    I don't mean to sound dismissive here. It isn't that this is of no consequence. But everything we do has risks, and the practical way to address that is to mitigate those risks with reasonable measures commiserate with the level of concern, without exposing ourselves to different risks (e.g. key loggers, in my example above). In this case being cautious of malware (which is incredibly limited in scope on non-jailbroken iOS devices) seems to be the prudent course of action.

    Ben

  • DanielP
    DanielP
    1Password Alumni
    edited April 2020

    @1PWguy:

    Leaving aside the cryptographical questions I raised in my previous post, I am glad you posted your additional concerns about the topic. I will attempt to address them in this post.

    TBH, the response that passwords by themselves are useless is ridiculous. There are virtually an unlimited number of combinations for a lengthy random PW. By comparison, there are far fewer website that require PWs.

    This is probably true, although I cannot technically prove it. While I can calculate the exact number of possible passwords of a certain length which I can create with a specific alphabet, I cannot know the exact number of available websites that require a login. But yes, let's say this statement holds true.

    How would you know what username and website combination that password belongs to, or even that it is a password? It could be an encoded piece of text. But let's suppose that it is a password after all, would you just try every website in the world, with every username in the world, hoping to find a match? Unless you know what you are looking for exactly, it sounds like a very expensive endeavor to me.

    For example, say I give you this password:

    dGhpcyBpcyBub3QgYSBwYXNzd29yZCwgYWx0aG91Z2ggaXQgcHJvYmFibHkgbG9va3MgbGlrZSBvbmU=
    

    Would you really find it useful to have this password here by itself, without any other context? For all you know, it might be the login password for one of my local virtual machines, so completely inaccessible to you anyway [1].

    Thanks for the responses. I don't mean to sound a bit paranoid, but the clipboard issue seems to be a major security risk.

    I would not be doing this job if I weren't paranoid myself. Much like pretty much everything else when it comes to security, this is a matter of finding a balance that works for you. Would the impact of this specific vulnerability be rendered null if you decided to stop using the clipboard altogether, and instead started typing all your passwords manually, every day for the rest of your life? Definitely. By not using something, you avoid every risk involved with it, that much is clear. Only you can choose whether the cost in terms of usability and time is worth it for you though. Personally, I think this is less secure, because you open yourself up to two different issues:

    1. You are using weaker passwords, making your accounts more unsafe. So you are exchanging an attack with a low risk (potentially zero if you did not install the malicious app on your device), for a 100% chance of lowering the security of all your accounts;
    2. You open yourself up to keylogger risk. If you ended up installing a malicious app that was able to read the contents of your clipboard, you have to consider that this malicious app could also be listening to your keystrokes (it's a safe assumption to make, from a threat modeling perspective).

    But again, only you can decide which scenario is more likely to you. Looking at the attack surface of this clipboad issue, I would argue that using weaker passwords and increasing your exposure to keyloggers is going to be a much more dangerous scenario.

    I'm looking for a way to prevent a PW from being exposed through the clipboard.

    As both Ana and Ben wrote earlier in this discussion already, if you use the Autofill feature, 1Password won't use the clipboard. I would recommend using this feature instead of shortening your passwords and typing them manually.

    ===
    Daniel
    1Password Security Team


    [1] For those of you wondering, this is not the password for one of my virtual machines: it's the Base64 encoding of the string "this is not a password, although it probably looks like one".

  • 1PWguy
    1PWguy
    Community Member

    Thanks for the detailed response. I always use autofill if it's available. And keylogging is a separate security risk in and of itself. My concern in this thread is with the clipboard, which I see as a greater problem. Maybe I'm wrong. I've been aware of keylogging issues, but the clipboard concern has only recently been put on my radar.

    I might reduce my password length, simply because of diminishing returns. Does it really matter if I reduce my PWs from 40-50 random characters to 20 random characters? No. The latter makes it easier for me to manually type in.

    The clipboard risk is more heightened than what I think is being acknowledged in this thread. A developer has access to a limited number of passwords on someone's clipboard, namely, only passwords to clients' accounts who have downloaded the developer's product, so a malicious developer can be pretty certain that it is a password to one of their client's accounts. If I were a malicious developer, I wouldn't care if the password to one of my client's accounts was to ESPN, but I'd probably check all the major banks or encrypted storage accounts were highly sensitive data is stored. This is the concern. Not that someone might be able to log into my ESPN account, but that someone might use it on an app that stores such sensitive info, like Sync.com or pCloud.

    At the end of the day, don't get me wrong, I love 1PW. I recommend it to everyone. To me, it's still the safest bet out there. But the clipboard risk is something serious. And I hope there's a way to safeguard it one day.

  • I think it is important to understand the confluence of events that would be required in order for someone to exploit this attack vector:

    1. Someone would have to write a malicious app, pay Apple for a developer account, and then submit said app to the App Store
    2. Apple would have to not find the fact that the app is acting in a way that is in violation of the rules and approve the app
    3. You would need to install the malicious app
    4. The malicious app would need to be running in the background while a password was on your clipboard

    OR your device would have to be jailbroken. If you're doing that, you're already circumventing many of the built-in security systems of your device, and are exposing yourself to a lot of unnecessary risk.

    Obviously everyone's level of risk and associated paranoia is different, and so you have to make the best decisions for your security based on the threats you individually are likely to face. Personally, I'm very careful about what apps I allow to run on my devices, I don't jailbreak, and I have a high level of confidence in Apple's review process. As such I'm not willing to give up the convenience of the clipboard in the limited circumstances that I put passwords onto it. I feel the risks associated with using shorter more typeable passwords are greater. But you may feel differently and that is certainly your prerogative.

    Ben

  • steve28236
    steve28236
    Community Member

    So in light of recent developments I wanted to add further to this discussion. I think there have been some erroneous assumptions here.

    1. Apple would not allow apps to pass the approval process that monitored the clipboard for passwords. With the advent of iOS 14 it has come to light that TikTok scans the clipboard every few seconds. TikTok is not the only offender, a number of other big names have been doing it too. Source; https://www.macrumors.com/2020/06/25/tiktok-clipboard-access-ios-14-caught/

    2. A password on it’s own without an email address or website is less dangerous. I would contend that the sort of person that copies and pastes their password is also likely to have just copied and pasted their email address for login moments prior. 1P goes some way to encourage this behaviour because when copy and pasting it automatically copies the password after email when you return to 1P. An app that is constantly scanning the clipboard would gather all this information (see above). Could an app also scan the current Safari webpage address? I have no idea but it wouldn’t surprise me if it could.

    Is there anything Agilebits could have done about this? Not that I can think of without crippling 1P functionality. But I do think it’s a bigger risk then they realise and recent events have borne that out.

  • ag_ana
    ag_ana
    1Password Alumni

    @steve23094:

    Our Chief Defender against the Dark Arts explained in this post today how 1Password minimizes the use of the clipboard, and only does so when the users requests it. Does that help alleviate your concerns?

  • Ben
    Ben
    edited June 2020

    With the advent of iOS 14 it has come to light that TikTok scans the clipboard every few seconds. TikTok is not the only offender, a number of other big names have been doing it too.

    It seems unlikely to me that TikTok (or other big names) are doing this to scan the clipboard for unrelated passwords. Now that iOS 14 is exposing this behavior developers (including ourselves) will be in the position of having to explain when and why they access the clipboard.

    Ben

  • steve28236
    steve28236
    Community Member

    It seems unlikely to me that TikTok (or other big names) are doing this to scan the clipboard for unrelated passwords.

    One would hope that was the case. Unfortunately these days with so many companies getting caught with their hands in the data cookie jar for nefarious purposes (à la Facebook) I have less faith than you.

  • That's fair. I think my point is that there are legitimate reasons to be checking the clipboard. While it is in theory possible that apps could do something malicious with that data, it seems unlikely for all the reasons I gave above. The fact that we now know which apps periodically check the clipboard doesn't really change any of what I posted above.

    Ben

This discussion has been closed.