Jump to content
SmallAtom

possible pwd leak with latest GBoard (android) and notes

Recommended Posts

Hi,

I know that EnPass try to keep copies password as secure as possibile... and it does a good job at least securing password that are copied on clipboard using a smart trick like emptying clipboard after 30 seconds

Today after an upgrade/update from google of it's GBoard I got notice of a new feature (that can be enabled and GBoard proactively instruct on let you know of the feature and how to enable it).... Such a feature is like a clipboard with evey note that reach the clipboard. So if you have every note that is being cut/copied in last 1 hour. Including password that get copy/paste from EnPass.

This is a feature of GBoard and not much that EnPass can do... But still something that would be of interest and may be there are some workaround....

For me, obviously is a feature that will be kept disabled. At least until Google change something. Probably from EnPass could be interesting (if you have enought voice with Google) to impose some tweaks like ability to remove items in GBoard clipboard as well.

 

How to reproduce:

1) latest GBoard keyboard on android (9.2.7.303045247 or better)

2) open keyboard from any app

3) tap on clipboard icon and enable clipboard

4) copy some tesxt and veryfy that it goes into clipboard by tapping again the clipboard icon

5) create a new entry in EnPass with random login text and password (we don't want to use real password for this test)

6) copy password to clipboard (tap on password and copy)

7) what a minute or so....

8) in any textfield try to long press and do a paste (you won't see any text appear as EnPass should erase correctly the copied password from copypase bufer)

9) open gboard and select clipboard icon and voila'... your password still there and will be kept there if not manually deleted or 1 hour lapse

 

I can produce screenshots if needed and asked

 

 

 

 

Share this post


Link to post
Share on other sites

Hi @SmallAtom,

Sorry for the inconvenience caused to you.

 Please share the following details so that we can investigate where the problem could be.

  • On which devices and OS versions are you using Enpass?
  • Which Enpass version are you using?

Share this post


Link to post
Share on other sites

No inconvenience at all, just reporting... and even not a fault of EnPass...

Issue seen on:

OS: Android 9 With Feb updates (OxygenOS 9.0.11

EnPass: latest avaible on play store 6.4.2.327

Google Keyboard: Lastest that I know of as with google it's hard to know what is "Latest". Should be 9.2.7.303045247

 

As I can tell it's all about a feature of gboard that could be usefull but can be an issue when dealing with password....

The feature can be enabled/disabled in gboard. Don't know the extent of the issue. As I know in android apps can't access clipboard while in background. Don't know about this gboard feature of advanced clipboard... I mean I don't know if the content inside can be read from other apps or can be used only inside gboard itself. I would say that's a minor issue if only gboard can access that special clipboard as there's still possibility that someone could take possession of device and take a peek (manually).

As I can see it, this is inevitable (for now) but can be mitigated by disabling "adavanced clipboard" in Gboard.

Some scrrens to clarify....

In this screen I had already created something just for test in EnPass with a random password... On EnPass I had done a tap on password, selected Copy and then as you see in screen I copied it... All fine as expected. Then waited 30 seconds or more.

image.thumb.png.15cb36d064eeadb1271cc95b38f99e8a.png

 

Then again I used the "paste" command (long press on entry field and then select Paste).... But as expected nothing happens as EnPass change clipboard to nothing as expected and mitigate possibility to paste password long after they are supposed to be used.

 

Now the trick.... when keyboard is out, tap on "clipboard" incon on top of K-Y keys

image.thumb.png.668b75bc78357a8303b32d8434b14445.png

 

A screen of what gboard shows....

Will appear an history of everything pasted in last hour, including password... So you can tap on it to paste and/or read it

image.thumb.png.4f6f271cdf1f80bcfb791f8a998a2a98.png

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...