Bug 352171

Summary: clipboard history in systray cannot be really disabled, security problem
Product: [Unmaintained] klipper Reporter: empire
Component: plasma-widgetAssignee: Martin Flöser <mgraesslin>
Status: RESOLVED WORKSFORME    
Severity: major CC: aleixpol, alex-kostjukov, aron.heinecke, emrecio, fincer89, Hamburger1984, joe.harvell.x, kde, kde, kde, marek, mklapetek, rdieter, sancelot, shaikadzari, zmp.kde.bugreport
Priority: NOR    
Version: 5.4.0   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description empire 2015-09-02 18:02:24 UTC
The clipboard icon in the systray can only be hidden and not disabled. If you click Systray Settings and uncheck "Clipboard" the icon gets removed but the functionality is still active.

You can test this by unchecking it (removing it from the systray) and copy and paste multiple texts and re-checking it and the whole clipboard history will be there proving that the functionality was active and never disabled.

I consider this a security concern as I copy and paste sensitive information all the time, I don't want my clipboards to persist for security and privacy reasons.

In KDE 4 this functionality was provided by the process klipper, but in 5 this process was moved inside the plasmashell process. Therefore there's no clean way of totally and completely disabling clipboard history and eliminating this security/privacy concern.

There should be a way to totally disable and deactivate any clipboard functionality.

Reproducible: Always

Steps to Reproduce:
1. right click systray -> Systray Settings -> uncheck clipboard press apply
2. copy and paste multiple texts (more than 1)
3. right click systray -> Systray Settings -> check clipboard press apply
4. left click on the Clipboard icon in systray

Actual Results:  
Clipboard comes up with the copied to clipboard texts that you made while it was "disabled" that proves that it still processed and stored the copy/paste information.

Expected Results:  
Clipboard popup (and it's memory) should be completely empty.
Comment 1 David Edmundson 2015-09-02 21:11:09 UTC
That does seem to be happening.

I don't think it's a particularly big security problem; but it's definitely a waste of memory.

Confirming.
Comment 2 empire 2015-09-02 21:16:31 UTC
It's more of a privacy problem than security really. Having said that I think it still makes it particularly easy for a malicious program to have a convient store of previous copy pastes with high probability of copied passwords.

I use a wallet manager with strong passwords and copy paste passwords often and I'm concerned about my clipboard privacy. 

Keepass which is a popular and security concious wallet manager makes it a big issue out of the external clipboard handling and it goes out to erase the clipboard contents after a prompt timeout so as it exposes the passwords as little as possible. To have clipboard history in this case just makes all this effort futile.
Comment 3 David Edmundson 2015-09-02 21:19:15 UTC
if a malicious app wanted to do that, they could just monitor your clipboard in exactly the same way the klipper backend does, clipboards are just a public property in X.
Comment 4 Thomas Lübking 2015-09-03 15:40:55 UTC
my concDr when this was brought up on the forum was rather "malicious humans" - or your wife ;-)
(simple rule is that if a malicious tool executes with your user permissions, your privacy is nuked. when it has root permissions, game's over)

however, this might point a bug in unloading plugins, what, if general, might indeed cause quite some trouble (memorywise and on implicit singletons)
Comment 5 Andreas Krohn 2015-09-14 08:42:33 UTC
For me (using fedora 22, plasma 5.4.1) the new klipper breaks pwsafe for me. Please provide a way to (at least temporary) disable grabbing everything from the clipboard!
Comment 6 EMR_Kde 2015-09-17 13:34:11 UTC
(In reply to Andreas Krohn from comment #5)
> For me (using fedora 22, plasma 5.4.1) the new klipper breaks pwsafe for me.
> Please provide a way to (at least temporary) disable grabbing everything
> from the clipboard!

agreed!
Comment 7 EMR_Kde 2015-09-17 13:57:33 UTC
And it may conflict with Klipper (which is far superior UI) which *can* be turned off.
Comment 8 Stéphane ANCELOT 2015-10-29 16:22:10 UTC
In my case, this is not a privacy or security problem. That's only a feature I don't want on a desktop customised for an industrial application.
Regards,
S.Ancelot
Comment 9 Stéphane ANCELOT 2015-10-29 16:49:25 UTC
This is a plugin ? a service?

It may be disabled?
Comment 10 shaikadzari 2015-12-04 20:38:36 UTC
I would like to add my vote to an option to disable the clipboard widget completely.
I really don't want this feature at my work (someone could see a password they should not).
Comment 11 Martin Klapetek 2015-12-07 20:10:14 UTC
> This is a plugin ? a service?

In a way, yes. Every applet is a "plugin" loaded into plasmashell process. Klipper is no different. Technically you could permanently disable it by just removing the applet from your system (located at /usr/share/plasma/plasmoids/org.kde.plasma.clipboard).
Comment 12 Joe Harvell 2016-02-08 23:08:23 UTC
(In reply to Martin Klapetek from comment #11)
> In a way, yes. Every applet is a "plugin" loaded into plasmashell process.
> Klipper is no different. Technically you could permanently disable it by
> just removing the applet from your system (located at
> /usr/share/plasma/plasmoids/org.kde.plasma.clipboard).

Thanks for the work around.  I don't consider this a solution because any time I upgrade this package through my distro it will be re-enabled.
Comment 13 Kai Uwe Broulik 2016-02-08 23:12:38 UTC
> just removing the applet from your system

Umm, isn't unchecking "Clipboard" in System Setting's Additional Entries configuration enough?
Comment 14 Joe Harvell 2016-02-08 23:24:38 UTC
(In reply to Kai Uwe Broulik from comment #13)
> > just removing the applet from your system
> 
> Umm, isn't unchecking "Clipboard" in System Setting's Additional Entries
> configuration enough?

https://forum.kde.org/viewtopic.php?f=66&t=128086#p341072
Looks like you can't.  I tried confirming this myself, but with system settings in plasma 5.5.4, I don't see a category called "Additional Entries," and when I search in the top right search text field for clipboard it doesn't find anything.
Comment 15 Kai Uwe Broulik 2016-02-08 23:26:53 UTC
System Tray settings, sorry. Ie, right-click the arrow on the icons next to the clock, choose "System Tray Settings" and there's a list of "Additional Entries". Uncheck "Clipboard" and the applet will be removed (it won't just be hidden in the popup but not even loaded anymore).
Comment 16 Joe Harvell 2016-02-08 23:30:07 UTC
Yes, that appears to solve it.  Thanks.
Comment 17 Martin Flöser 2016-02-15 07:57:33 UTC
Given comment #15 and #16 it seems that it's still possible to completely disable it, so there themes to be no bug.
Comment 18 zmp.kde.bugreport 2016-04-30 07:03:51 UTC
This doesn't appear to be true anymore, at least in 5.5.5.

Exactly as the original report states, unchecking the clipboard in "System Tray Settings" will hide it, but anything that is copied AFTER hiding it will show up in the clipboard again should you ever select clipboard in System Tray Settings again.
Comment 19 Marek Rost 2016-07-10 21:54:43 UTC
This problem reappeared for me on plasma 5.7.0-2 (archlinux package). 

'System Tray Settings' (accessed by right click on the arrow) no longer contain Clipboard in 'General -> Extra Items' section. Instead it appears in 'Entries' panel - and there is no option to disable it. Only available options are 'Visible, Hidden, Auto'.

Futhermore none of these states removes Clipboard from the System Tray dropdown panel. Thus, on top of inability to disable it, we can no longer hide it as well.
Comment 20 Martin Flöser 2016-07-11 05:49:19 UTC
My system tray still has a General section there and one can remove items through it (just tested). This sounds like a problem with the update. Best check with your distribution whether all packages were installed and old one properly removed. The implementation of the systemtray got exchanged in 5.7.
Comment 21 Marek Rost 2016-07-12 19:56:07 UTC
You were right, reinstalling plasma packages and restarting the desktop environment did the trick. Apologies for sounding the alarm. This is definetly better way than to manually remove the plasmoid in /usr/share/plasma/plasmoids/org.kde.plasma.clipboard.
Comment 22 Aron Heinecke 2016-08-18 18:38:40 UTC
Kubuntu 16.04
Plasma 5.5.5
There's no "quit" option nor an file do disable the autostart like it was said in the docs.
This is really a problem with Passwordmanagers at Applications where the autotype isn't working that well. Even more when the whole history should be saved to the disk.
I'm really frustated by this problem. Greb in the process tree does also not work, it really is integrated into the plasma process.
+1 For optionality like nearly every core feature that can be disabled via "Background Tasks" option...
I'm sorry but I'm really shocked about this.
Comment 23 Martin Flöser 2016-08-19 07:29:32 UTC
Please see comment #15 on how to disable the klipper plasmoid from loading.
Comment 24 Aron Heinecke 2016-08-19 18:08:44 UTC
You are right, I can disable it via that option and once I've (relogged?) restarted, the application really isn't running in background any more (until that point it is).
But what I would prefer even more, would an option to disable the clipboard tracking when a certain application is running, and to track it again, when it's closed.
By this I could use the wonderful idea behind klipper but would be spend from the problems when my password manager is open.
Comment 25 Martin Flöser 2016-08-19 18:36:43 UTC
> disable the clipboard tracking when a certain application is running

ah I get what you mean - like bug #156547. It's tricky. On X11 at least the clipboard does not know where data is copied from, so it cannot exclude say for firefox.
Comment 26 Aron Heinecke 2016-08-19 18:47:28 UTC
> where data is copied from
I would already be okay with a ps aux | grep implemented, which disables the tracking until the process with that specific name is closed.

Or even easier: "[ ] Track clipboard" option in the rightclick-menu, so I can disable it beforehand and enable it afterwards again.
Comment 27 Aron Heinecke 2016-08-19 18:49:43 UTC
P.S.:
Updating the docs to give you the hint that you can at least completely disable it by right clicking the arrow would already be a great help.
I've spend 2h before trying to look for the docs specified config files (which aren't existing nowadays) and getting an autostart=false entry to work.