Pasteboard type

[michalwski]

I'd like to exclude Bitwarden from clipboard menu application like (Flycut). To do that I need to now what pasteboard type is used. According to this issue: https://github.com/bitwarden/browser/issues/326 it looks like this should be possible with the desktop version, is it?

[kspearrin]

How do I view what the clipboard value's pasteboard type is? I installed Flycut but i don't see anything that tells what the pastebaord type of each thing I copied is.

[michalwski]

Flycut can be configured to exclude given pasteboard types. The default value it excludes is: PasswordPboardType. You can see it in preferences. Hope that helps.

[kspearrin]

Unfortunately I am not seeing an API in electron for defining the Pasteboard Type during clipboard write functions. https://electronjs.org/docs/api/clipboard#clipboardwritetexttext-type

There is a "type" parameter, but that doesn't seem related to the Pasteboard type, since all still seem to written as NSStringPboardType.

[goncalossilva]

They are marked as experimental APIs, but this should work, where format is org.nspasteboard.ConcealedType.

[kspearrin]

Thanks @goncalossilva . We'll keep an eye on this API.

[3zero2]

Have there been any updates about this by any chance?

[Stickyhavr]

How do I view what the clipboard value's pasteboard type is?

One option is: https://github.com/sindresorhus/Pasteboard-Viewer

I found that info here: https://github.com/p0deje/Maccy/issues/125

I would love to be able to exclude BitWarden from Maccy. Hope this gets resolved someday. Thanks

[3zero2]

Bitwarden only returns public.utf8-plain-text as the NSPasteboard type. I think that adding this to Flycut or Maccy would actually filter out not only Bitwarden but a bunch of other apps as well.

[Stickyhavr]

Yes, it would. That's why it would be best for BitWarden to use a particular pasteboard type that's not plain text. Either something like org.nspasteboard.ConcealedType or its own unique identifier. I don't know much about all of that, but there seems to be a list of some types here: http://nspasteboard.org/

[krabf]

Any updates on this? I'm also using Macccy and would love to exclude Bitwarden

[3zero2]

No updates as far as I know.

[rraihansaputra]

Hi @kspearrin, apologies for the ping, but is there any update about the clipboard.writeBuffer API usage? The Electron docs still marks them as experimental, and the Bitwarden app still outputs NSStringPboardType (checked from Flycut).

[Stickyhavr]

I still have my fingers crossed this will show up someday.

[mcotse]

Any updates? Would love to keep using Bitwarden and have proper integration with various clipboard managers 🙏

[webdev69420]

Any updates?

[eliykat]

This has been triaged and is in our backlog, but does not have any specific deadline for a fix. That said, last I looked into it, the Electron and Browser APIs that let us set the pasteboard type are all marked as experimental. In particular, FF has limited support for the ClipboardItem and Clipboard.write APIs required. I think there's more danger in implementing this in an inconsistent or unreliable fashion than waiting for the API support to catch up.

[bckp]

Maybe @kspearrin, @eliykat this can be implemented in some: experimental feature in BW itself... so users need to enable that explicitly. That will help mac users that use Maccy (still do not undestand Apple do not implementet this directly) and if everythink goes wrong, you can just unckeck one option.

[webdev69420]

Has there been any new developments concerning this issue?

[spinlud]

+1. Shouldn't this be put in priority? It seems a concerning security risk for anyone using the extension and a clipboard manager 😮

[tomasherman]

for what it's worth - a workaround for Alfred users, you can set up alfred to ignore clipboard entries from certain apps - for example bitwarden :) This almost forced me to go back to 1password, luckily i found this workaround :)

note that if you copy something from browser extension, it is still stored in alfred :(

[Stickyhavr]

Sure, for the desktop app it’s not a problem. Any good clipboard manager should allow you to specify apps that it doesn’t copy. (Also any good clipboard manager will automatically ignore a concealed type.)

The problem is with the browser extension because 99% of the things I copy in my browser are things I want to be in the history. To make things even messier, I actually like that my TOTP codes show up in my manager because I have mine (Maccy) configured to show last copied item in the menu bar, so I never have to wonder what’s on the clipboard, and I instantly know whether a login has TOTP stored in Bitwarden, or if I need to go look for it somewhere else, just by glancing at the menu bar.

So I’m still hoping this will come eventually. The most elegant solution would be for Bitwarden to mark its copies as concealed, or its own unique type. But thanks for posting a workaround, it’s nice to keep some energy in this thread.

[tomasherman]

BTW this also affects credit card numbers, which to me is even worse than passwords altho of course passwords are bad enough. I wonder how/if other password managers address this in the browser extension.

[tomasherman]

One more idea - until a proper fix can be made, i would be satisfied with option to disable copy-from-webextension. This would force me to use app and that I can put into ignore list. This would solve the worry i have of accidentaly copying sensitive info into clipboard from the web extension without realising it.

[exploitJ]

any updates? this can be a serious vulnerability.

[bmccraw86]

+1 for this change. I use a browser extension for most of my passwords and I tend to copy vs auto-fill a lot.

[Ashiro12138]

for what it's worth - a workaround for Alfred users, you can set up alfred to ignore clipboard entries from certain apps - for example bitwarden :) This almost forced me to go back to 1password, luckily i found this workaround :) ... note that if you copy something from browser extension, it is still stored in alfred :(

Same issue here. My clipboard manager (Maccy) allows me to exclude certain applications and it works fine when I'm copying directly from the app itself. But when I copy something from the browser extension it'll still be recorded. As of 12/06/2023 bitwarden is still returning public.utf8-plain-text for passwords. Are there any updates on this?

[paulrudy]

This has been an issue for 5 years now. Could one of the Bitwarden maintainers please explain why this issue is not considered a priority?

[mtzfox]

This has been an issue for 5 years now. Could one of the Bitwarden maintainers please explain why this issue is not considered a priority?

Second this!

[dbosompem]

Hi everyone, apologies for leaving this hanging for a while. I must admit this almost got lost in the midst of other high priority work. We are discussing internally the path forward, and I will be sure to share with the community any findings. Thank you for your patience as we look into this!

[bluekeybo]

@dbosompem any update on this? We'd really appreciate it, as it will enhance the user experience and security for those who use a clipboard manager. Thank you!

[thomasdemoner]

Hi everyone, apologies for leaving this hanging for a while. I must admit this almost got lost in the midst of other high priority work. We are discussing internally the path forward, and I will be sure to share with the community any findings. Thank you for your patience as we look into this!

Any findings?

[mvevitsis]

@dbosompem How on earth is this obvious security risk not fixed already?

[fooness]

Hi everyone, apologies for leaving this hanging for a while. I must admit this almost got lost in the midst of other high priority work. We are discussing internally the path forward, and I will be sure to share with the community any findings. Thank you for your patience as we look into this!

@dbosompem This was many months ago. Please, share your findings and the path forward.

[Xytronix]

@Hinton can we expect an update soon?

[1vishen]

Hoping there would be an update soon, I’ve been using Maccy, which ignores the Bitwarden app but not the browser extension. The extension is much more convenient.

[romajmg]

bump

[Xytronix]

@dbosompem This feature was requested 6 years ago and well received by anyone here. Can we get an update asap?

[zer0cee]

+1

[samundra]

+1, coming from developer background, I can see why it's being delayed. Lets have some patience and wait for experimental browser API to become stable first. Then we can expect it to be implemented into Bitwarden.

[ilyagr]

If it's true that the app does this correctly, one possible work-around would be heavy-handed, but might be worth it: have the extension ask the Bitwarden app to do the actual copying to the clipboard.

This would of course only work if the app is running. The extension and the app can already communicate for the biometric verification, though of course there are many technical details I would be unaware of that could potentially make my suggestion difficult or impossible to implement.

---

Update: No, the Bitwarden app does not set the pasteboard type on MacOS either, it's not just the extension. (Or rather, it's set to public.utf8-plain-text) This would be nice and likely easier to fix, but see also the above comment https://github.com/bitwarden/clients/issues/2633#issuecomment-1118960550 for possible obstacles.

However, regardless of the pasteboard type, a clipboard manager like Maccy can be told to ignore copies coming from the Bitwarden app, and perhaps could change the default config to do it by default, so having the copy come from the app would still be helpful.

[colineberly]

+1, coming from developer background, I can see why it's being delayed. Lets have some patience and wait for experimental browser API to become stable first. Then we can expect it to be implemented into Bitwarden.

Patience... if 6 years isn't patience, I dunno what is.

[mBeded-Studios]

Bump. Just downloaded a clipboard manager, maccy, and realizing this is really unsafe to use with the chrome extension which i use daily.

[mvevitsis]

It is insane that this has not been fixed after all this time

[TickDracy]

Hi everyone, apologies for leaving this hanging for a while. I must admit this almost got lost in the midst of other high priority work. We are discussing internally the path forward, and I will be sure to share with the community any findings. Thank you for your patience as we look into this!

Hello, is there any update regarding this?

[paulrudy]

I moved to a MacOS/iOS app that works with KeepassX databases because of this issue specifically.

[TickDracy]

I moved to a MacOS/iOS app that works with KeepassX databases because of this issue specifically.

I, personally, prefer Bitwarden, given that it's been great until now. I even decided to purchase Premium to support them (even though I don't need any of the Premium features). But using Maccy app on macOS alerted me to this bug and seeing that it's open since 2018, I don't have too much hope that it will be fixed.

But I'm open to considering other alternatives with multi-system integration (Windows, macOS, Linux and iOS), given that's necessary for me. So please, feel free to recommend them!

[mvevitsis]

Neither keepass nor 1password have this problem.

[Xytronix]

Neither keepass nor 1password have this problem.

@mvevitsis could you explain this further? Does 1Password browser extension copy from the desktop app?

[mvevitsis]

They both have their own pasteboard type. Bitwarden doesn't.

[paulrudy]

But I'm open to considering other alternatives with multi-system integration (Windows, macOS, Linux and iOS), given that's necessary for me. So please, feel free to recommend them!

I'm using Strongbox (iOS/MacOS) and I've been very happy with it for the past few months. It uses the open source KeepassX database format, easily imports Bitwarden and other formats, and you can get clients for KeepassX which are compatible with Windows and Linux