[kdeconnect] [Bug 458063] New: KDE Connect clipboard sharing syncs passwords copied from password managers

Fri, 19 Aug 2022 05:36:23 -0700 

https://bugs.kde.org/show_bug.cgi?id=458063

            Bug ID: 458063
           Summary: KDE Connect clipboard sharing syncs passwords copied
                    from password managers
           Product: kdeconnect
           Version: 22.04.3
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: common
          Assignee: albertv...@gmail.com
          Reporter: firlaevhans.fi...@protonmail.com
  Target Milestone: ---

SUMMARY
Also see
https://www.reddit.com/r/kde/comments/ws99fn/can_i_make_kde_connect_ignore_copied_passwords/
Basically, I want to keep using the clipboard sync feature of KDE Connect, but
unfortunately it means that passwords copied from my password manager will also
be synced to the connected devices and, unlike on the machine they were copied
from, won't be automatically deleted from their clipboards after 10 seconds.
This is a pretty big security issue for anyone using both a PM and a synced
clipboard.
If there's a way KDE Connect could know where a clipboard item came from, it
would be great if one could blacklist specific sources (like my Password
manager KeepassXC) from being synced to other devices.

STEPS TO REPRODUCE
1. Have a connected device via KDE Connect, with clipboard sharing enabled
2. Let your password manager copy something to the clipboard
3. Check the clipboard on the connected device

OBSERVED RESULT
The copied content (password) is synced to all other devices.
On the "host" machine, password managers like KeepassXC will usually
automatically delete the copied password from the clipboard after a few
seconds. Also, even within those few seconds, the password doesn't show up in
the Klipper history. But on all devices that KDE Connect syncs the clipboard
to, the password is permanently added to the clipboard.

EXPECTED RESULT
If possible, KDE Connect should be able to have a blacklist of applications
whose clipboard items will not be synced.
Otherwise, it might be possible to get away with only syncing the actual
Klipper history and not copied items that aren't added to the history (because
KeepassXC passwords aren't, but manually copied stuff would be)

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 36
KDE Plasma Version: 5.25.4
KDE Frameworks Version: 5.96.0
Qt Version: 5.15.5
Kernel Version: 5.18.17-200.fc36.x86_64 (64-bit)
Graphics Platform: Wayland

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to