The clipboard content of my phone ended up on the command line of my tablet as I was typing on the tablet.
I was not and never have used the remote input feature of the phone’s kdeconnect app.
I suspect this is a hack but thought I’d ask if it’s a known “bug” (though how data being arbritrarily transfered can be seen as a bug and not a hack is beyond me).
It’s either a bug or a hack cause I was updating my roommates machine and I noticed on his clipboard contents from my clipboard and items from my phone. My phone should only be paired with my system not his. In the short term I have removed KDEConnect from my PC.
It’s the clipboard plugin.
By default it’s on and syncs the clipboard contents.
(In the case of the person where it synced with their friends device it’s probably an auto pair issue. Not the safest defaults if that’s the case)
Actually when you stop to think of it in a case where you have a secure linux box and say an android phone any rogue android app can peek the clipboard and get all the copied data from an file editing/authoring session on the linux box.
So the clipboard plugin’s “automatically share the clipboard” option should be off by default or at least turned off right away after installing a linux with kdeconnect or buying and booting an oem linux machine, eg: pinetab, starlite etc…
First - this is not a “hack” (as in a malicious person is accessing your device remotely). No one is hacking your clipboard.
Secondly, its not much of a security issue - no more than otherwise using the clipboard on your Android device. Since Android 11, background applications cannot access your clipboard at all, and since Android 12 every time an application accesses your clipboard not through the user actively using the “Paste” command, you will see a toast notification - so if you haven’t seen toasts to the effect of “app copied from clipboard”, you do not have a malicious that stole your clipboard data. Finally, since Android 13, clipboard data is automatically removed from the clipboard after a minute or so, so even if you KDEconnect copied some clipboard data to your phone, a foreground app will not be able to access it (unless you manually paste) after about a minute.
Regarding @CCG complaint - there is no way that one instance of KDE connect shared information with another instance, unless it was paired. If you open the KDEconnect app on your phone and open the sidebar, you will see all the devices that are paired with it: if @CCG’s phone does not list his roommate’s machine as a paired device - then it cannot send clipboard content to it.
I don’t know anything about “auto pairing” - its not a feature of KDE connect (at least not on Android and Linux). The only way to pair KDEconnect devices is if on one device the user searches for an unpaired devices and manually requests pairing, and then the other devices shows a notification and the user must approve. If you have two devices that share information - they have been manually paired.
Regarding “command line” - you will get clipboard content from your phone on the command line if you copied text into the clipboard on your phone and then - on your tablet - you used the paste action. There is no other way it can get there. Sometimes we hit CTRL+V without actively trying to do that - it happens.
My observation not COMPLAINT is that I have never paird or attempted to pair with my roommates machine and if he had attempted to pair with my phone I would of refused the request.
If you read my replies I got that it’s not a hack and it’s the clipboard plugin’s default behaviour.
Which it shouldn’t be considering any android app can sniff the clipboard.
At least not if you’re concerned about security. The Android apps are not the Linux apps and are not subject to the same scrutiny.
If you trust Google good for you I guess but most people don’t trust supporters of genocidists invading and murdering men women and children qbd kikking babies in hospitals to take and inhabit their lands. Best for those people to turn off the automatic clipboard sharing. Better yet is to get a linux phone and drop Google’s products and services all together.
Thanks for clarifying about any possible auto pairing.
That is not correct - as I’ve explained previously, in any modern Android version only the foreground app can access the clipboard, and you get a notification about it.
Let’s clear this up a bit. I had a bit to think on this and I noticed content in Gary’s CopyQ that should of only been in my CopyQ. Since as far as I know CopyQ doesn’t work through the network and the only network sharing apps on the two computers are KDEConnect which is also on both phones and LocalSend just on the PC’s. Since LocalSend also doesn’t access the clipboard that only leaves KDEConnect. Maybe a pairing request came through and I thought it was my phone and instead it was Gary’s computer.
Check the device list in your KDE connect, and give your phones (and PCs) distinct names.
They don’t have to show what they sniff and up to 11 (below 10 actually), which is a lot of phones, any rogue app won’t.
The other measures since are near useless. User’s can tap any item and the app can use that to initiate getting the clipboard contents. The toast wouldnt have been necessary in subsequent versions otherwise. And what good is a toast anyway after the clipboard is pasted? The app has the data. And likewise what good is a timeout? The app has the data.
None of these are real security measures and google themselves say it:
“Not implementing one of the aforementioned flags [ ClipDescription.EXTRA_IS_SENSITIVE or android.content.extra.IS_SENSITIVE ] in fact allow attackers to exfiltrate sensitive data copied to the clipboard by either shoulder surfing or through malicious applications that, while running in background, take screenshots or record videos of a legitimate user’s activities.”
And kde connect on the android side does not use the flags referred to when setting the data it receives to the clipboard.
So yes, any android app can sniff the clipboard.
The defaults of the clipboard plugin should not allow auto sync by default and certainly not auto sync password fields.
But I m not KDE so all I can do is alert users of the security risk and suggest that they turn them off.
The question begs though: how does kdeconnect get the clipboard contents on the android side from android 10 on?
Do they run as a system app and do system apps have the permission to read clipboard from background?
–Edit–
Close, signature level permission. Which kde gets.