Comment by userbinator
10 hours ago
but it does suggest there were a number of people who might have been broadcasting their text selections to the internet for several years. Given that people copy and paste passwords from their password managers, or select the text of sensitive emails and documents during the course of editing, that should be a significant cause for concern.
I don't know what "significant" means in this case, but a password is worth something only to those who know what the password is for and are willing to find out. I'm pretty sure all those seemingly popular "editing" plugins that read everything on the screen to send to a cloud service for "AI assistance suggestions" do far worse... and given what I've seen people do with accidentally pasting things into Google, it likely already knows a lot more than you thought it did.
I'm sure if people discovered that a Debian package offering "AI suggestions" would send the clipboard over unencrypted HTTP to two Chinese servers, it would make a similar noise.
Actively listening to the clipboard, and immediately, automatically sending the content elsewhere is akin to keylogging, spyware, plain and simple. It's a questionable practice even after accepting a huge popup, not to mention that the functionality is practically buried in TFA case.
> a password is worth something only to those who know what the password is for
I also copy-paste my username from KeePass, so you'd pretty quickly get everything
OK, so you have the username and password. But what about where to use the credentials? Is that also copy-pasted from somewhere?
It's like coming across a key someone dropped on the road. You don't even know what it's for.
Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
> It's like coming across a key someone dropped on the road. You don't even know what it's for.
There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.
Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?
What if it's a list of words from the BIP-39 wordlist?
> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.
I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.
Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.
1 reply →
People reuse user names and passwords all the time.
It is also quite feasible to test a user+password combo on the most common websites.
I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.
And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.
I have seen people paste their seed phrase into the URL bar in Chrome, which will send it to Google for auto-complete. Even the access log itself is going to contain compromising information in that case, since that is sent a part of the query string.