This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):
- 1Password
- Bitwarden
- Dashlane
- Enpass
- iCloud Passwords
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
Thank you making me smarter!
There is one thing i don’t understand though. Wouldn’t the password manager need to have its window focused to clear the clipboard? And wouldn’t that allow any focused window to extract the information in the mean time?
Any time, we’re all in this together after all. I needed to learn some here as well, and if anybody comes by with follow up knowledge it is welcome.
As far as wayland works, source clients (the application you copy from) can clear the clipboard without stealing the focus. Note that if you copy from another client, the source client is now changed to the new one and the password manager will no longer be able to clear your clipboard. And this behavior is easily verifiable.
Unfortunately I am unsure if any focused application obtains access to clipboard content immediately or if the user needs to initiate some sort of
Ctrl+vbehavior. This would need to be followed up on. However, that is why I give my password manager a 10 second timeout to clear the clipboard. Honestly it could be shorter. But I do not alt tab through a bunch of random applications in the mean time. Typically I go straight to where the authentication is needed, and nowhere else. Meaning my clipboard should be cleared of sensitive data before I ever give clipboard access to another app.Better than other graphical compositors which simply broadcast your clipboard content to the entire ecosystem.
So where we’re at is 1) do apps get access to the clipboard immediately upon focus, and 2) what is happening where it appears some applications have hacked a way to steal focus.