VeraCrypt
VeraCrypt copied to clipboard
Leak of almost correct password to clipboard from GUI, at least in KDE
Expected behavior
Veracrypt should not automatically trigger copying of contents of the password input field.
Considered "solutions/expected behavior" (just brainstorming):
- Do not auto select the text when returned to the password dialog
- Completely block any attempt to copy from the password dialog (maybe not good idea, not sure)
- If user has checked "Display password", when user presses the OK button to proceed with decryption, reset the "Display password" checkbox to unchecked, so that in the case of failed decryption, the password is hidden again when returned to the dialog. The user may then choose to display the password again.
Observed behavior
I am not sure if this is an issue in Veracrypt or my desktop environment (KDE) or a combination of the two. I have not tried on other platforms/desktop environments.
I use the Veracrypt GUI to mound an encrypted volume. My password is very long and to avoid mistyping it I checked the box "Display password". Still I wrote one character wrong and my volume failed to decrypt and mount.
This is where to problem occurs. When I am returned to the "Enter password for /path/to/volume" dialog, my incorrect password is automatically selected/highlighted (like drag selecting it with the mouse). This automatically triggers a copy-to-clipboard, and my almost correct password has now leaked in clear text to the clipboard. (I can see it in the KDE klipper clipboard "widget" history). Any application on my system may subscribe to the clipboard events and I have no idea if my partially correct password has now leaked further.
The same thing happens if "Display password" is not checked. But then only dots (one for each character ends up in the clipboard).
The "Change volume password" dialog suffers from the same problem. If I enter the wrong "current password" a copy of whatever is visible in the password input line ends up in the clipboard.
Steps to reproduce
- Run Linux with KDE, start Veracrypt GUI
- Chose to mount a volume
- Check the "Display password" box
- Enter the almost correct password
- When the dialog returns, the text visible in the password input ends up being selected (and copied to the clipboard), see attached screenshot
- (If I enter to correct password on the first attempt this does not happen)
Screenshots
Your Environment
Please tell us more about your environment
VeraCrypt version: 1.25.9 Installed with deb package from https://www.veracrypt.fr/en/Downloads.html
Operating system and version:
Operating System: Kubuntu 20.04 KDE Plasma Version: 5.18.8 KDE Frameworks Version: 5.68.0 Qt Version: 5.12.8 Kernel Version: 5.4.0-120-generic OS Type: 64-bit
System type: GNU/Linux 64-bit