Skip to content

Galaxy devices can leak passwords via clipboard bug

  • by
  • 2 min read

Samsung has been caught with a glaring security issue in its One UI Android launcher. Some of its Galaxy devices running One UI store copied passwords in plaintext on the clipboard, making it easy to steal them.

The issue came to life when a user dubbed OicitrapDraz posted on the Samsung community forum asking for a clipboard self-clearing feature. They noted that they use KeePass, a popular password manager, and therefore copy and paste their passwords all the time, considering the passwords in question are long and complicated. When the user noticed that passwords were copied to Samsung’s clipboard in plaintext, they switched to Gboard, Google’s keyboard app, but the copied passwords were still stored on the Samsung clipboard.

This isn’t a new issue, and Google’s keyboard app automatically clears out the clipboard every couple of hours. However, the fact that Samsung’s launcher doesn’t do the same means that users need to be careful about copying sensitive information to the clipboard — especially when the user has to remember to clear the clipboard history manually.

This is an image of galaxy s21 fe 4

Samsung’s response wasn’t enthusiastic either. A Samsung account responded as follows on OicitrapDraz’s post:

We understand your concerns regarding clipboard behavior and how it may affect sensitive content. Clipboard history in One UI is managed at the system level.

Your suggestion for more control over clipboard data—such as auto-clear or exclusion options—has been noted and shared with the appropriate team for consideration.

In the meantime, we recommend manually clearing clipboard history when needed and using secure input methods for sensitive information.

The response doesn’t suggest that Samsung will resolve the issue soon, despite users complaining about it for years. Additionally, since the clipboard can’t be bypassed using another keyboard app, it leaves users entirely vulnerable for credential theft in case their phone is stolen or an app decides to read their clipboard.

In the News: Sensitive information of over 5.5 million patients stolen from Yale Health

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>