When I was using the Bitwarden Windows desktop client, I found that it could not clear the clipboard after copying the password in time.
At the same time, I tested the Chrome-based Microsoft Edge browser extension and found that it was the same.
If this extremely serious bug is not fixed in time, sensitive information is collected by malicious programs, which may bring extremely serious security problems to users’ network accounts.
As far as I can tell, the “Clear Clipboard” option is not honored (as you describe), unless the information is copied using the copy icon.
Thus, you should be able to use the copy icon to protect yourself from this behavior (unless you are copying information from an Identity item, which does not have copy buttons).
I’m not sure, but I think that this behavior may be relatively new. Unless my recollection is wrong, it did not always behave this way.
This is one of the reasons that I created a unique FF profile for sensitive accounts that I use BW to access. I am not worried about my bank and real name email being nefarious, but I am concerned that other “workspace” sites I visit might be. The FF profile I use for non sensitive sites does not ever see BW and the clipboard is flushed before opening the new FF instance. That is not that difficult to do and lets me feel just a bit of peace with the isolation method I use. A thought?
An interesting approach. Does switching FF profiles automatically flush the clipboard? Does it also clear the clipboard history (if enabled)?
IMO, the best way to safeguard against clipboard vulnerabilties is to use the auto-fill function to transfer credentials from Bitwarden into the login forms.
I forgot to respond fully to your post yesterday. I use Parcellite clipboard manager on Debian 12, which is in their repository so apt-get allows for a safe install!
Parcellite adds an icon to my system tray and a simple click allows me to instantly clear/delete the clipboard. It sync’s with both clipboards but using a mouse seldom adds an entry to the primary and usually only the “Use Copy” clipboard ---- > hope this makes sense.
I might add to brag about BW — > my vault seldom adds anything to the clipboard when I simply click on an FF bookmark and then complete signin from within the BW extension from the browser. My browser is never allowed to save cookies, which is outside of this thread, but it is an important aspect of the concerns we are addressing here, LOL!
Even though Parcellite is actually designed to save history of several clipboard entries you can easily tell Parcellite to NOT save history and you only need to clear the newest item or so. Works fine for me anyway.
Lastly, if you just want to verify if there is anything in your clipboard you can simply click on the system tray icon and if the clipboard is empty the “edit clipboard” option will be grayed out. Should that button NOT be grayed out you can click on “edit Clipboard” and it will show what is on the clipboard with no questions as to the content. That is a nice observation to resolve any concerns with an instant verification!
@OpSec The issue described here pertains to Bitwarden’s “Clear Clipboard” feature failing to clear the most recent item copied, if deliberately copied by Ctrl/Cmd+C (e.g., copying a cryptographic key stored in a Secure Note). It has nothing to do with password history tools.
I think we are missing each other’s point. I do know that we are not discussing history tools. I had mentioned above that I configured Parcellite to never keep history. Parcellite simply looks at any current items on the two clipboards my system uses. Not being certain if BitWarden’s “Clear Clipboard” fails to succeed or not as several on this thread were questioning, led me to seek a solution I can live with. With Parcellite running 100% in my system tray I simply click on it and both of the clipboards are immediately cleared. That I can live with. Hope this makes sense.
I find Bitwarden to be such an amazing piece of software! I have looked through and experienced several managers and nothing comes close for advanced users on a Linux system. Its virtually flawless if configured correctly.
Further; Parcellite clearly shows me any items in my Clipboard so those copy and pastes from Secure Notes are looking right at me. One click and they are gone!
I’m not familiar with Linux clipboards, so I’m not sure what “both” clipboards is a reference to. If clicking the Parcellite systray icon clears the Parcellite clipboard and the system clipboard, then this would help mitigate the issue that has been described in the current thread, but only if one remembers to manually clear the clipboard(s) after copying from the Bitwarden vault.
I fully agree that automatic clearing via the BW app would be the key. For now I simply click on my systray item to clear it all off. I am a man of habit so it would be unlikely that I would forget, but I am human, LOL! I clear clipboard items all the time from many different apps and browser instances so I will continue to use this beyond the “jurisdiction” of BW anyway.
I think Bitwarden can take a look at KeePassXC, which is based on another open-source password manager: KeePass, which has an automatic clipboard cleanup feature.
I don’t want to accidentally leak my password while typing, it’s very important when recording a video or stream, I mean copy the account number or password and clear it immediately.
