Firefox fixes password leak via Windows Cloud Clipboard feature
Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password.
The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers.
At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts.
The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers.
In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.
Mozilla said it considered this behavior dangerous, as a threat actor with access to a synced device could simply press Windows+V and access any clipboard data from a user's past activity on other devices.
This is especially dangerous, as there will be no trails in local logs about someone accessing or viewing data (such as passwords) via the Cloud Clipboard, Mozilla said.
In addition, Mozilla also said it added this protection to Private Browsing windows as well, so nothing copied from a Firefox private window will be synced to the Windows Cloud Clipboard either, and not just user credentials.
Tests performed by The Record today with a Firefox 95 browser confirmed that usernames and passwords wouldn't sync anymore to the Windows Cloud Clipboard.
Tests performed on other Chromium-based browsers did not include this protection, and usernames and passwords from Chrome were synced to Microsoft cloud servers—so users should be aware of who might access their passwords if they have Cloud Clipboard enabled and are using a non-Firefox browser.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.