Bug Report and Request for Solution – Clipboard Behavior Issue in Passbolt

Feature requests
1

Dear Passbolt Development Team,

I would like to report a bug related to the clipboard functionality in Passbolt and request your assistance in developing a solution.

Issue Description:
When copying a password in Keepass, the following message appears:
“The data has been copied to the clipboard and will be cleared in 12 seconds. During this period, you can use Ctrl+V, and the password does not appear in the clipboard history at any time.”
This behavior works as intended.

However, when using Passbolt to access a URL, the password is not copied to the clipboard properly and remains “invisible.”

Observed Behavior:

  • Copying the URL works as expected – it appears in the clipboard history.

  • Copying the username also works correctly – it appears in the clipboard history.

  • Copying the password shows the message:
    “Success: The password has been copied to the clipboard. It will be cleared in 30 seconds.”
    After 30 seconds, you can no longer paste the password using Ctrl+V.
    However, the password remains visible in the Windows clipboard history (Win+V) both during and after the 30-second period.

Environment:
Tested on the following browsers:

  • Microsoft Edge

  • Google Chrome

  • Mozilla Firefox

Impact:
This issue poses a potential security risk, as passwords copied from Passbolt remain visible in the system clipboard history, unlike Keepass, which effectively hides them.

Request:
We request that the development team investigate this behavior and provide a solution to ensure that passwords copied from Passbolt:

  1. Can be pasted via Ctrl+V within the expected time frame.

  2. Do not remain visible in the system clipboard history.

  3. Behave consistently across all supported browsers.

Thank you for your attention to this matter. We look forward to your guidance or a patch to address this security concern.

Best regards,
David Leonardo,
LBV.

2

Hello David,

At this stage, we are not aware of any browser-supported mechanism that would allow an extension to prevent clipboard history persistence or to clear it programmatically.

Passbolt relies on standard browser APIs (such as the Web Clipboard API) to copy data to the clipboard. While this allows us to copy and later clear clipboard contents after a defined period, these APIs do not provide any control over the operating system’s clipboard manager, including the Windows clipboard history (Win+V).

This differs from applications like KeePass, which are native desktop applications and can interact directly with operating system APIs. This allows them to implement additional protections, such as preventing clipboard history storage or using specialized clipboard formats that are ignored by the OS clipboard manager.

On the Passbolt side, if your security policy requires stricter clipboard controls, it is worth noting that Passbolt provides role-based access control (RBAC) settings that allow administrators to disable the copy to clipboard functionality entirely for end users. This can be a useful mitigation if the goal is to prevent sensitive credentials from being exposed through the clipboard at all.

If disabling clipboard history is a hard security requirement in your organization, this can be enforced at the system level via Windows Group Policy by setting the AllowClipboardHistory policy to disabled under Computer Configuration.

Cheers,

3

Tanks for the information, Remy!