I use bitwarden as my password manager. Out of paranoia, I have been logging into Bitwarden only while an empty tab is open in case some random website is able to access my keystrokes while I use the plugin.
I am a web developer, but I wasn't actually able to find information about whether this is a real risk or not last year when I began doing it. Can anybody clarify?
The problem is that iOS doesn't differentiate between a call that merely checks for the presence of a clipboard entry (e.g. so you can enable "Paste" in a menu/submenu) and actually copying the contents of the clipboard.
The workaround (for legitimate apps) is to simply always keep that "Paste" option enabled--even if the clipboard is empty. That way you won't freak out your users and only suffer the most minor of usability consequences.
Having said that I don't think TikTok has any relevant functionality such as enabling a "Paste" option so... Most likely nefarious!
I believe any time you paste with the native keyboard UI up it doesn't go through the app. You only need to snoop the clipboard if you want to proactively use the data without having the user paste.
It seems to me that Touch ID is slightly less secure, given that it stores your fingerprint on the device and you rely on the Apple module and crypto to be implemented securely.
With a Yubikey, the only thing you have to do to stay secure is to not lose it or let others use it.
The attack surface is larger but it's still not an attack almost anyone needs to worry about - a 0 day on the T2 (which has never been publicly found/reported on) is something only worthy of nation state attacks on other nation states.
I took a short look at this and it appears to be a work in progress that varies between browsers...
Chrome implements a "clipboard-read" permission that can be requested by calling navigator.clipboard.read(). When a page calls that it will display a permission request dialog (like those asking for permission to show notifications on seemingly every single news web page). A little clipboard icon will also appear in the nav bar showing the status of the permission (visible after a read attempt is made during that visit)
Firefox is apparently on track as well, although for now the clipboard.read function is not implemented for pages and can only be called by extensions. I'm not sure what the permission dialog for extensions is like.
So... it may be safe. But it is a work in progress and each browser is different. I've only checked the most well-documented method for reading the clipboard... maybe there is some other half-implemented feature or event listener that happens to leak some clipboard data...
I had the same exact concern, and I haven't been able to find reliable confirmations on this being completely impossible either.
It's easily testable, though, that a webpage that isn't focused (because an extension's pane is open) doesn't receive input events. Likewise, Chrome [1] and Firefox [2] extensions themselves cannot bind to relevant keys for example. All in all I would say that going through an empty tab is unnecessary - even though I got into the habit of doing it as well - and even if this wasn't true 2FA should be enough to thwart most malicious actors.
Well, you probably couldn't find any confirmation because nothing in the security world is completely impossible :) Webpages aren't supposed to be able to receive input events when the extension popup is open, but there could still be an unknown vulnerability in Chrome/Firefox.
So if you care enough it's best to mitigate that risk by using the standalone application for your password manager, or better yet use a completely separate device like your phone!
On Chrome at least, Bitwarden has it's own extension popup window with the vault. This is a completely separate web context. There's no way for the open website to detect your keystrokes barring a vulnerability in Chrome itself.
If you really want to be safe, you should use the standalone desktop apps and skip the browser extension altogether. Doing that empty tab thing probably doesn't protect you from anything.
I am a web developer, but I wasn't actually able to find information about whether this is a real risk or not last year when I began doing it. Can anybody clarify?