https://bugs.kde.org/show_bug.cgi?id=437901
Bug ID: 437901
Summary: Klipper security risks
Product: plasmashell
Version: 5.21.5
Platform: Other
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: Clipboard
Assignee: plasma-b...@kde.org
Reporter: med.medin.2...@gmail.com
Target Milestone: 1.0
Klipper save copied items permanently in "~/.local/share/klipper/history2.lst"
without applying any kind of encryption, and those items persist across
multiple logins/reboots, so any previously copied password will always be
available and easy to find by any malicious script or program downloaded by
user, this is considered high risk for most average users.
I know copying passwords should be done from specialized apps that clear copied
passwords from clipboard after certain timeout, or not even use system
clipboard manager and consume ctrl+v and paste events/actions to provide copied
passwords. But in Plasma we lack any kind of integrated app or widget that
manages saving/copying logins and passwords. In other systems that have simple
clipboard manager this problem has lower risk because the clipboard is replaced
after any new copy (because all happen in volatile memory) and it's cleared
after rebooting or logging out so the high sensible data are lost.
NB: I found plasma-pass widget that could be improved to solve this problem but
for now it clears the whole clipboard after certain timeout.
--
You are receiving this mail because:
You are watching all bug changes.
