Profile cover photo
Profile photo
Yuriy “Cheese” Syrovetskiy
48 followers -
говорящий с машинами
говорящий с машинами

48 followers
About
Posts

Post has shared content

Post has shared content
Today I found ClipboardHistory.db in my Library/Application Support/TextMate directory. When I looked inside I was horrified to find pieces of my code, various text, and EVEN PASSWORDS that I had in my clipboard at one time or another for the past countless months. Turns out new versions of TextMate have a little "feature" of storing my whole clipboard history for me, and EVEN PERSISTING IT TO DISK (because, apparently, I might close the editor, and lose all that juicy history!). Since my Mac has TextMate running for practically 100% of the time it means all that time everything has been leaked, stored to disk, carefully backed up to Time Machine.

What's even worse is that this feature cannot be disabled anywhere in settings. There is a feature to disable "persistent" clipboard history, but it may only be set with "defaults write", which is not nice at all. A feature with such horrible security implications SHOULD BE IN BOLD RED TEXT ON THE FIRST SETTINGS PAGE (and preferably disabled by default too, with a nuclear logo next to it just in case anyone thinks they should enable it). And even if you disable persistence it's still in memory (not sure, but maybe even scriptable?). CLIPBOARD IS ALWAYS SENSITIVE, so it shouldn't be leaked, kept in a "history", or persisted in any way.

My hair is literally standing on its end right now, because the potential for everything being compromised was enormous. Recent Firefox vulnerability showed pretty clearly it was possible to leak your files all over the web (good thing I stopped using Firefox long ago), and unencrypted ssh keys, for example, are ALWAYS targeted in such cases. Well, ClipboardHistory.db is even juicier in its potential for malicious use, congratulations.

So I scrubbed my local files, scrubbed my time machine backups, disabled persistence and will probably stop using TextMate altogether (like Atom better anyway). But I'm still horrified how long I could go without knowing about this.
Add a comment...

Post has attachment

Post has shared content
инстаграм официально скатился в говно
Photo
Add a comment...
Wait while more posts are being loaded