Security: Clipboard remembers previous value after clearing leading to potential leak of information.
Reported by
iancaunc...@gmail.com,
Jun 11 2017
|
|||||||
Issue descriptionSeveral password managers automatically clear the clipboard using a timeout to prevent your passwords/private information from leaking. An example of one of these apps is: https://github.com/bpellin/keepassdroid When the clear event occurs, you expect that the value in the clipboard to be removed. In all non WebView based components, it is cleared fine and when you press the paste button, nothing is pasted. However in Chrome, specifically on a webpage the value is remembered even after an app has "cleared" it allowing you to paste the contents of the clipboard. Steps: 1) Copy a value to the clipboard. 2) Paste value into an input box inside Chrome on a webpage. 3) Wait for the clipboard to be cleared. 4) Verify it has been cleared by pasting into the URL bar or pasting into any native input box. 5) Attempt to paste into an input box inside Chrome on a webpage. If successful, the value which has been cleared in the system clipboard is remembered in chrome when pasting on a website. On android 7.1, all apps which render using a WebView seem to also be affected. I believe this is because chrome is the default rendering engine used for WebView. I have also tried clearing the clipboard manually using and the bug still occurs: https://play.google.com/store/apps/details?id=com.kodholken.clipboardcleaner&hl=en_GB To be clear, this only affects pasting into webpages and not native application input boxes. Chrome Version: 58.0.3023.83 stable Operating System: Android 7.1.2 Build N2G47W I believe this to be a security issue as users will often use password managers to securely store password and other private information for websites. If they rely on their clipboard automatically clearing they wont expect their information to remain inside the clipboard specifically inside chrome whilst being cleared everywhere else. Someone who has access to the device could then retrieve the information.
,
Jun 13 2017
Thanks for the report. I'm removing the security labels on this bug because physically local attacks are outside of Chrome's threat model. (https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-) I wasn't able to reproduce on Android 5.0.1, trying on a more recent Android now... Also cc'ing tedchoc in case this rings any bells.
,
Jun 13 2017
Hi, I have also been able to replicate the issue on a Nexus 7 tablet running 6.0.1 build MOB30X. Chrome version: 58.0.3029.83. Thanks, Ian
,
Jun 13 2017
I can't reproduce on Android 7.1.2 either, with Chrome 58. I'm doing the following steps: 1.) Copying text in an app like Maps. 2.) Clearing the clipboard using the Clipboard Cleaner app from the bug description. 3.) Pasting into www.pastebin.com in Chrome. The clipboard is empty. Please let me know if there are other steps needed to reproduce.
,
Jun 13 2017
Hi Yeah sorry there is one missing step. You need to paste the value into www.pastebin.com before clearing to make chrome "aware" of the value and then attempt to paste again after clearing. You should find that you can paste the value in pastebin once it has been cleared but not in any native input boxes such as chrome URL bar. 1.) Copying text in an app like Maps. 2.) Paste into www.pastebin.com in Chrome. 3.) Clearing the clipboard using the Clipboard Cleaner app from the bug description. 4.) Pasting into www.pastebin.com in Chrome.
,
Jun 13 2017
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 13 2017
Adding dcheng@ for general clipboard knowledge as the C++/java boundary isn't something that I'm terribly familiar with. mpearson@ also did some updates recently that tracked update time and maybe that actually would have addressed any issues as we now are listening to changes from the clipboard manager?
,
Jun 13 2017
I'll leave investigation of this to dcheng@.
,
Jun 13 2017
Code digging results: The password manager referenced in the bug description writes the password to the clipboard in EntryActivity.timeoutCopyToClipboard at [1] and clears it in EntryActivity::ClearClipboardTask.run at [2]. Both of these use Util.copyToClipboard, which calls into the deprecated ClipboardManager.setText [4] at [3]. In Chrome, the Android Clipboard is implemented in ui/android/java/src/org/chromium/ui/base/Clipboard.java and ui/base/clipboard/clipboard_android.cc. org.chromium.ui.base.Clipboard uses Android's ClipboardManager.addPrimaryClipChangedListener to subscribe to clipboard change events at [6]. org.chromium.ui.base.Clipboard.onPrimaryClipChanged() calls into ClipboardAndroid::OnPrimaryClipChanged, which further calls into ClipboardMap::OnPrimaryClipboardChanged. [1] https://github.com/bpellin/keepassdroid/blob/d2e2ff5bbaceead23550913a31416e9603c76e0f/app/src/main/java/com/keepassdroid/EntryActivity.java#L411 [2] https://github.com/bpellin/keepassdroid/blob/d2e2ff5bbaceead23550913a31416e9603c76e0f/app/src/main/java/com/keepassdroid/EntryActivity.java#L448 [3] https://github.com/bpellin/keepassdroid/blob/d2e2ff5bbaceead23550913a31416e9603c76e0f/app/src/main/java/com/keepassdroid/utils/Util.java#L51 [4] https://developer.android.com/reference/android/content/ClipboardManager.html#setText(java.lang.CharSequence) [5] https://developer.android.com/reference/android/content/ClipboardManager.html#addPrimaryClipChangedListener(android.content.ClipboardManager.OnPrimaryClipChangedListener) [6] https://cs.chromium.org/chromium/src/ui/android/java/src/org/chromium/ui/base/Clipboard.java?q=addPrimaryClipChangedListener&l=57
,
Jun 13 2017
Comments on the C++ side lead me to believe there is a static copy of the clipboard, though I don't understand its implementation yet. I'm not entirely sure the C++ will do the right thing when the clipboard has no contents.
,
Jun 13 2017
,
Jun 13 2017
,
Jun 14 2017
I am not able to reproduce the reported behavior. I tried to reproduce this behavior under Android 7.1.1 using Chrome Canary and the Clipboard Cleaner app linked in the initial report. When I attempted to re-paste in step 5, no text was pasted. Can you confirm that this behavior still occurs in recent Chrome Canary versions? First few lines from about: on the Chrome Canary version I used during the attempt: Google Chrome 61.0.3129.0 (Official Build) canary (32-bit) Revision b7e12bae8572c1ed03d0959ed71df8e4efe2f8ee-refs/heads/master@{#478840} OS Android 7.1.1; Google Chromebook Pixel (2015) Build/R61-9627.0.0
,
Jun 14 2017
Hi, Tested using Chrome Canary and I can confirm that I cannot reproduce the issue. Apologies as I should have tested using the beta/dev/canary builds before reporting. Thanks, Ian
,
Jun 14 2017
Thank you for your report and for the speedy follow-up! I don't expect issue reporters to install and test in less-stable channels (sometimes channel choice is not even under their individual control for the devices they observe problems on), so no apologies are called for. I'm glad the issue seems to be fixed for you too with a newer version, and (unless there's a more serious security problem here than I am aware of) we should be able to wait for the fix to roll out to everyone with the stable channel.
,
Jun 23 2017
Sorry I missed this bug in a pile of email. For some background: it does sound like the issue was from a desync of the internal C++ clipboard and the Android native keyboard. We have the internal C++ clipboard because the Android one is currently fairly limited in terms of what types it supports. To get around that, we store the clipboard data for everything we can't write to the Android clipboard internally. When C++ code read from the clipboard, it would first use heuristics to detect if the internal clipboard is in sync with the system clipboard--and if not, it would clear the internal clipboard and refresh it from the system clipboard. It doesn't surprise me that this may have been broken in subtle ways (as the unit tests don't run on Android...). Using the clipboard change notifications hopefully fixed the sync issues here Once and For All. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by elawrence@chromium.org
, Jun 12 2017Labels: OS-Android