Passwords copied to the clipboard from the browser extensions are not marked as Concealed
When using the Copy option to copy and paste a password from the browser extension (I have tested in both Chrome and Safari), the password is not copied with the Concealed property (org.nspasteboard.ConcealedType). This is a problem as it means that my clipboard manager will store this sensitive information in the clipboard history, whereas if it had been marked with the appropriate type the clipboard manager would know to ignore it.
I tried reverting back to 1Password 7, which resolved the problem in Safari, but not in Chrome.
1Password Version: 8.5.0
Extension Version: 2.1.4
OS Version: macOS 12.1
Comments
-
Hey @efenner:
Great question! As 1Password in the browser is operating solely in the context in the browser, our clipboard management options are limited and as such, the concealed property isn't set when copying from 1Password in the browser. As for the difference in 1Password 7 for Safari, as 1Password 7 in Safari is heavily linked to 1Password 7 for Mac, we're able to set the property. We're always exploring options, and I've added your feedback to the internal issue we have regarding this. Thanks for asking!
Jack
ref: dev/core/core#159
0 -
Hi @jack.platten , thanks for your reply. If there is not a solution for this, I see it as a major vulnerability.
I just tested, and copying the password using Quick Access doesn't have this issue, presumably since that is connected to the local app rather than the browser extension, but I don't find that as convenient or intuitive as 1Password mini or the 1Password 7 implementation. Since the extension is what pops up when I am trying to fill the password, that is what I am most likely to use.
Please let me know if anything changes here or if there are any other methods that I might be missing.
Thanks!
0 -
Hey @efenner:
Thanks for your follow-up. Indeed you're right, Quick Access is working with the desktop app, and not the browser extension. While I can't promise anything, this is something we're aware of. In the meantime, if you're concerned about your clipboard manager saving your credentials, copying from Quick Access or the full 1Password app would be your best bet.
Jack
0 -
Hi, any updates on this? This is causing pasted contents to be visible across my devices (with any sort of "paste/clipboard" apps), and is a severe security risk, especially given that all of these apps already handle sensitive information and pastes from 1PW apps as well...!
If possible, please prioritize this. Thanks
0