Firefox Fixes Password Leak via Windows Cloud Clipboard Feature (therecord.media) 13
Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password. From a report: The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers. At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts. The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers. In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.
Everything in the cloud (Score:2, Informative)
Re: (Score:1, Insightful)
Another bog-standard microsoft fuckup. Funny how nobody noticed before while knowing full well microsoft's track record. They come up with a feature, the feature involves sending all your data to someone else's datacentres, and nobody stops and thinks "waitaminute..."
So now we have a microsoft fuckup that leaks sensitive data everywhere and mozilla "fixes" this problem in microsoft code, actually works around it, in firefox' code. It is the style poettering demands of everyone forced to use his code. But i
Re: (Score:2)
You sound like my old boss when he found out, after the design was complete, that the rooftop HVAC units in southern Florida had to be physically secured from blowing over in a hurricane. He said that that was crazy because in a hurricane you have so many dan
Re: (Score:2)
With this feature windows is a security risk all by itself
You mean this disabled by default feature which only shares passwords directly with someone who is sitting in front of a machine *you* logged into is a security risk?
Do you routinely give out passwords or leave your logged in devices unattended? That sounds pretty silly to me.
Or are you maybe suggesting that the mechanism is the security risk, a mechanism which if intercepted would actually give an attacker far more valuable abilities such as remote locking of your devices, the ability to do password resets
Need to manually turn on the windows feature (Score:2)
This is a feature of Windows that you manually have to turn on. It doesn't affect a stock installation.
Still a bad bug though, but why would the clipboard be involved for automated password entry?
Re: (Score:2)
Still a bad bug though, but why would the clipboard be involved for automated password entry?
Because shitty copy-pasta "programmers" do shit like use the clipboard as if it were a variable...
...thats how fucking copy-pasta they be.
Re: (Score:2)
Every three months I have to change my passwords at $WORK. Since every frelling $WORK website requires my username/password (even the "anonymous" surveys), this requires going through and updating each password in the Firefox password database. Usually I copy/paste my new password to avoid having to type it a hundred times.
Of course, this is all on Linux, so I don't worry that much about things being uploaded to Microsoft without my knowledge.
Funny enough (Score:2)
I never knew Windows had this feature. Now I'm interested.
Thanks Mozilla!
How's that a "severe security risk" or even a bug? (Score:2)
You go and enable "Clipboard history", you put something in clipboard and then it's a bug that it's there? You go and enable "Sync across devices" and you are shocked and it's a "severe security risk" to find the clipboard content on another synced device?
There's a serious amount of ridiculous handholding going on right now in the industry. Disabling screen shots while in certain apps on mobile is one of them too. Yea, I understand the thinking and what are they trying to protect but there should be a promp
One bug at a time sweet jesus (Score:2)