Cause for Concern?

michael2
michael2
Community Member

iMore has a story about how some iOS apps (the article focuses mostly on TikTok) are able to snoop on user’s clipboards, and I was wondering if this should give 1Password users pause about copying sensitive items such as passwords to their clipboards, especially if they are using Universal Clipboard. Do the fine folks at 1Password have any thoughts about this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • prime
    prime
    Community Member

    I found this list on MacRumors of all the apps that had this access

    Apps currently spying:
    News
    • ABC News
    • Al Jazeera English
    • CBC News
    • CBS News
    • CNBC
    • Fox News
    • News Break
    • New York Times
    • NPR
    • ntv Nachrichten
    • Reuters
    • Russia Today
    • Stern Nachrichten
    • The Economist
    • The Huffington Post
    • The Wall Street Journal
    • Vice News
    Games
    • 8 Ball Pool™
    • AMAZE!!!
    • Bejeweled
    • Block Puzzle
    • Classic Bejeweled
    • Classic Bejeweled HD
    • FlipTheGun
    • Fruit Ninja
    • Golfmasters
    • Letter Soup
    • Love Nikki
    • My Emma
    • Plants vs. Zombies™ Heroes
    • Pooking – Billiards City
    • PUBG Mobile
    • Tomb of the Mask
    • Tomb of the Mask: Color
    • Total Party Kill
    • Watermarbling
    Social Networking
    • TikTok
    • ToTalk
    • Tok
    • Truecaller
    • Viber
    • Weibo
    • Zoosk
    Other
    • 10% Happier: Meditation
    • 5-0 Radio Police Scanner
    • Accuweather
    • AliExpress Shopping App
    • Bed Bath & Beyond
    • Dazn
    • Hotels.com
    • Hotel Tonight
    • Overstock
    • Pigment – Adult Coloring Book
    • Recolor Coloring Book to Color
    • Sky Ticket
    • The Weather Network

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Apps which poll the clipboard frequently may not be doing so maliciously. While I don't like what those apps are doing, I doubt that they are keeping and storing passwords that they sniff from the clipboard. Of course there is a risk that some apps are acting maliciously. And that is a risk that has been well known since clipboard/pasteboards were invented.

    This is one of the reasons why 1Password (or 1Passwd, as it was called at the time) offered browser integration from its very beginnings nearly 15 years ago. It is also one of the reasons why we have never placed a password or user secret in the clipboard of any system without the user explicitly asking to copy to the clipboard. Going back to slightly more recent history, here is something we wrote about filling in Android back in 2014: Avoiding the Clipboard with 1Password and Lollipop. Although the technical details and mechanisms have developed a great deal since then, that article shows that unlike some other password managers we only ever wanted secrets to go into the clipboard with user's knowledge and consent.

    We continue to develop ways to further reduce the need for people to copy passwords (or other secrets) to the clipboard, but these depend very much on the particular systems. And these develop over time.

    Auto-filling for security and convenience

    Anyway in addition to the convenience advantage of using the non-clipboard mechanisms for 1Password to fill in passwords, there are two major security advantages

    Using 1Password's filling mechanism (what ever it is for the particularly platform) instead of the clipboard

    • Dramatically reduces the chance of you filling in a password into a place it doesn't belong. A phishing site needs to trick both you and 1Password to get 1Password to fill in a password into the wrong place.
    • The password passes from 1Password to the appropriate place (such as a browser) through a more secure channel then the clipboard.
  • XIII
    XIII
    Community Member
    edited June 2020

    This Telegraph UK article states also Apps from respectable developers are/were checking the clipboard:

    https://www.telegraph.co.uk/technology/2020/06/25/tiktok-stop-snooping-users-clipboards-iphone-update-shows-app/

    (Apps like SSH client Prompt from Panic and Reddit client Apollo; their developers promised to fix this)

  • ag_ana
    ag_ana
    1Password Alumni

    Indeed, which is why 1Password is built so we can avoid using the clipboard as per jpgoldberg's post. Since we cannot control other apps, we need to make sure we do all we can to prevent bad things from happening :+1:

  • michael2
    michael2
    Community Member

    Thanks for the responses everyone. I was unaware of the risks involved in copying passwords to clipboards, so this story came as a surprise to me.

  • ag_ana
    ag_ana
    1Password Alumni

    You are very welcome @michael2. It's good that you are thinking about these things. If you have any other questions, we are always here.

  • prime
    prime
    Community Member

    I have copied passwords before because the site wouldn't auto fill correctly or at all. The Transunion app was just recently.

  • Ben
    Ben
    edited June 2020

    As Jeff alluded: In the interest of fairness... there are legitimate reasons to check the clipboard. We do it too. I think it is worth giving these developers an opportunity to explain what they're checking for and what they're doing with the data before condemning them or assuming they're sniffing for or gathering private data.

    As an example, we check the clipboard to see if there is a Setup Code on it, which we can then use to add your 1Password account to 1Password.

    Ben

  • XIII
    XIII
    Community Member

    I guess 1Password also has to do this to restore the contents of the clipboard after temporarily putting a 2FA code on it?

  • That could be another example, though I'm not sure that would actually show such a notification.

    Ben

  • XIII
    XIII
    Community Member

    I’m actually curious about that, but I’m not running the iOS 14 beta.

    Maybe someone else can check?

  • ag_ana
    ag_ana
    1Password Alumni

    I am currently not running the beta either, but we can certainly see if someone does :+1:

  • Report from development is "yes; it does cause the alert, currently."

    Ben

This discussion has been closed.