Samsung: Android clipboard saves passwords between
The Samsung keyboard on Samsung smartphones also lists old copied passwords in the history. The manufacturer is looking into possible changes.
(Image: Sundry Photography/Shutterstock.com)
Samsung Android smartphones store copied content in the clipboard. Old, copied passwords can occasionally be found in the clipboard history. Samsung is currently evaluating the problem.
Meanwhile, the case of a concerned Samsung user is making the rounds in the media – but the basic issue has been around for years. We also recently received a reader's note with this observation and can understand it: Passwords that have been copied from a password manager, for example, also appear in the history of the Samsung Android keyboard.
(Image:Â Screenshot / dmk)
The issue can be reproduced by tapping the clipboard icon when entering text, for example. This shows a history of entries that can go back quite a long way. Since the clipboard obviously does not consider the origin of the data, this can also be sensitive data such as passwords from the password manager.
Samsung: Clipboard security issue?
However, the clipboard works as expected in principle. Currently, the only way to access the clipboard is to open a keyboard (in addition to the Samsung keyboard, this also works with the Google keyboard –, which has its clipboard with the standard option to delete content after one hour) and tap the clipboard icon. The entries can be viewed there. There is also a trash can icon that can be used to delete individual or all entries in one go.
Videos by heise
Users' apps can access the clipboard and thereby gain unauthorized access to passwords. If the smartphone is not locked, other people can also access the data. Samsung explains in a response to the user report of the problem that the clipboard is managed at system level. However, it is not clear whether this means that other user accounts on a device may also be able to access the entries in the clipboard.
According to the forum post, Samsung has taken up the suggestions, such as automatically deleting the clipboard entries after a certain time or offering exception settings, and forwarded them to the responsible team for consideration. To mitigate the potential risk, Samsung advises users to delete the clipboard history when necessary and to use secure input methods for sensitive information. The company does not describe what this could look like in concrete terms, but presumably means the manual entry of access data.
Security concerns with the clipboard have so far tended to be the other way around: Programs can copy data to the system's clipboard unnoticed, as was the case with Chromium-based web browsers in 2022. This allows malicious actors to copy content there that unsuspecting users later paste into prompts, for example, and thereby carry out malicious actions. Such attacks were actually observed in the middle of last year – but they are not based on vulnerabilities in software, but on social engineering techniques that encourage victims to voluntarily copy and launch such commands themselves.
(dmk)
