Password leaking to kde clipboard

martininsulander / KrunnerBitwarden

GNU Lesser General Public License v2.1

5 stars 2 forks source link

Password leaking to kde clipboard #1

Open jiampong212 opened 2 years ago

jiampong212 commented 2 years ago

is there a way to work around this? Like disabling clipboard before copying it and enabling it after copying

martininsulander commented 2 years ago

Hi, Fun to hear someone trying it out 😃

About the issue. The way of using the clipboard is a bit of a security risk. I don't know if there is any way around it, except pushing for applications to support secretservice (a dbus protocol that I think can be used to fill in passwords). So this is a tradeoff between security and convenience.

As far as I know, it is not possible to pause Klipper. I know of these methods:

The first is to clear the complete password history, but for me that is a bit too inconvenient.

The second method would be to clear the current entry (clearClipboardContents). It sounds promising, but I cannot get it to work. And there would always be a risk of another entry being added after, meaning the password won't be removed.

So currently I have no solution. Probably need to contact KDE developers to figure out how to do it.

jiampong212 commented 2 years ago

Thanks for replying. This is a great program, of course i will try it out 😊 I made something like this when I was using only a wm, and rofi. All i did was pause the clipboard. Sad to know that there's no functionality like that in kde klipper.

Searching the internet shows that there indeed has some feature request of adding a pause functionality in klipper, like in here but it still is "confirmed".

Although, looking at the methods you showed above, is it possible to send the password to the clipboard, and another string to the history, for example replace the passwords by asterisks in the history?

Edit: the method i suggested above is also what the bitwarden gui used to hide password in the clipboard history, so i guess it is possible?

martininsulander commented 2 years ago

An idea that maybe could solve this is to instead act as a virtual keyboard. The idea is that you first select the field you'd like to fill in, and then select the entry in krunner. Krunner dialog will disappear (hopefully selecting the previous window and form), and act as you'd typed the password.

I have played a tiny bit with it in X and it could work. I'm not sure how Wayland would like it though.


from time import sleep
from pynput.keyboard import Controller, Key
def send_text(text):
    kbd=Controller()
    sleep(4)
    for char in text:
        kbd.press(char)
        kbd.release(char)
send_text('passwrd')```