Firefox Fixes Cloud Clipboard Vulnerability That Leaked User Credentials

Mozilla developers have fixed a bug in Firefox related to the Cloud Clipboard feature, which previously caused usernames and passwords to be leaked. Due to this bug, user credentials copied from the browser’s password manager could end up in the clipboard and potentially be exposed to third parties.

The vulnerability was actually addressed in Firefox 94, released last month, but Mozilla has only now provided detailed information about the issue. The problem was connected to the Windows Cloud Clipboard, a feature introduced in Windows 10 (version 1809) in September 2018. This feature allows users to sync their local clipboard history with their Microsoft account.

By default, Windows Cloud Clipboard is turned off. Once enabled, users can access the cloud clipboard by pressing Windows + V. This gives access to clipboard data across all connected devices and saves clipboard history, allowing users to view previously copied and pasted data.

According to Mozilla, they have modified Firefox so that usernames and passwords copied from the browser’s password section (about:logins) are no longer saved to the Cloud Clipboard. Instead, this sensitive information is stored only locally in a separate clipboard section.

Mozilla considers saving credentials in the Cloud Clipboard to be potentially dangerous. An attacker with access to a synced device could simply press Windows + V and retrieve any clipboard data from other devices. Even worse, there would be no trace in local logs indicating that someone accessed or viewed sensitive data (such as passwords) through the cloud clipboard.

Additionally, Mozilla has extended this protection to Private Browsing windows. Now, anything copied from a Firefox Private Browsing tab will also not be synchronized with the Windows Cloud Clipboard.