VeraCrypt icon indicating copy to clipboard operation
VeraCrypt copied to clipboard

Published 20 hours ago verified publisher icon veracrypt

Leak of almost correct password to clipboard from GUI, at least in KDE

Open peterNordin opened this issue 2 years ago • 0 comments

Expected behavior

Veracrypt should not automatically trigger copying of contents of the password input field.

Considered "solutions/expected behavior" (just brainstorming):

  • Do not auto select the text when returned to the password dialog
  • Completely block any attempt to copy from the password dialog (maybe not good idea, not sure)
  • If user has checked "Display password", when user presses the OK button to proceed with decryption, reset the "Display password" checkbox to unchecked, so that in the case of failed decryption, the password is hidden again when returned to the dialog. The user may then choose to display the password again.

Observed behavior

I am not sure if this is an issue in Veracrypt or my desktop environment (KDE) or a combination of the two. I have not tried on other platforms/desktop environments.

I use the Veracrypt GUI to mound an encrypted volume. My password is very long and to avoid mistyping it I checked the box "Display password". Still I wrote one character wrong and my volume failed to decrypt and mount.

This is where to problem occurs. When I am returned to the "Enter password for /path/to/volume" dialog, my incorrect password is automatically selected/highlighted (like drag selecting it with the mouse). This automatically triggers a copy-to-clipboard, and my almost correct password has now leaked in clear text to the clipboard. (I can see it in the KDE klipper clipboard "widget" history). Any application on my system may subscribe to the clipboard events and I have no idea if my partially correct password has now leaked further.

The same thing happens if "Display password" is not checked. But then only dots (one for each character ends up in the clipboard).

The "Change volume password" dialog suffers from the same problem. If I enter the wrong "current password" a copy of whatever is visible in the password input line ends up in the clipboard.

Steps to reproduce

  1. Run Linux with KDE, start Veracrypt GUI
  2. Chose to mount a volume
  3. Check the "Display password" box
  4. Enter the almost correct password
  5. When the dialog returns, the text visible in the password input ends up being selected (and copied to the clipboard), see attached screenshot
  6. (If I enter to correct password on the first attempt this does not happen)

Screenshots

Screenshot_20220617_215349

Your Environment

Please tell us more about your environment

VeraCrypt version: 1.25.9 Installed with deb package from https://www.veracrypt.fr/en/Downloads.html

Operating system and version:

Operating System: Kubuntu 20.04 KDE Plasma Version: 5.18.8 KDE Frameworks Version: 5.68.0 Qt Version: 5.12.8 Kernel Version: 5.4.0-120-generic OS Type: 64-bit

System type: GNU/Linux 64-bit

peterNordin avatar Jun 17 '22 20:06 peterNordin