Samourai Wallet is accessing to the Clipboard without permission (SOLVED)

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: DaveF on October 28, 2023, 07:57:13 AM

Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

On mobile at least, copying and pasting addresses seems to be the only way to send coins to it if it is located on the same device (if not, well QR codes solve that issue nicely, but then the below still applies).

But on desktop, I always verify that the address I copy is the same as the address listed on the screen. All characters are checked. This at least gives me peace of mind that there is no clipboard malware running amok.

albert0bsd

hero member

Activity: 862

Merit: 662

Quote from: o_e_l_e_o on October 29, 2023, 01:50:31 PM

It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Yes i see that on some screenshots on reddit.

Thank you for pointing out the code, I already checked that function and there is nothing suspicious there.

I just want to add that in any case that behavior isn't expected, i mean they do for "security" but without context any access to the clipboard without previous trigger of the users looks suspicious.

I am going to mark the Topic as solved and also close it in some day or two so if someone wants to add something additional it is welcome.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Here is the relevant code for doClipboardCheck: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/java/com/samourai/wallet/home/BalanceActivity.kt#L1119

And here is the warning message it displays: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/res/values/strings.xml#L400

You can see from the code that it doesn't use the private key on your clipboard for anything else.

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: albert0bsd on October 28, 2023, 07:44:07 AM

Quote from: rat03gopoh on October 28, 2023, 03:13:25 AM

Waiting for your update.

They already reply: https://www.talkimg.com/images/2023/10/28/T7kfl.png

Quote

Hello,

Clipboard access is used for various actions such as pasting in bitcoin addresses, paynyms, signing messages or transactions (have a look under the "Tools" menu), etc.

If you'd like to read the code, please feel free to read through our Gitlab here: https://code.samourai.io/wallet

To be honest I expected a better answer for this, their reply just sounds a generic one, they point to their repository but not the file or line that triggers this behavior.

I don’t know rick looks fake

That generic reply isn't really surprising since support team usually don't know much technical detail and i expect support team can't just ask technical team to directly answer customer question unless it's really important.

Quote from: DaveF on October 28, 2023, 07:57:13 AM

Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

Out of all the things that go on with crypto, things like this are some of the least of my concerns.

In addition, since Android 10 application access to clipboard data is being limited. And i recall some brand or custom ROM even let you further limit clipboard permission.

Quote from: https://developer.android.com/about/versions/10/privacy/changes

Limited access to clipboard data

Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Most mobile wallets allow you to paste in an address to send and add a receiving address to your clipboard so you can send it to someone the access itself is not that big a deal. With that I just played with a few wallets on my phone and most of them just took things from the clipboard without asking. So it appears to just be 'the way it's done'

Out of all the things that go on with crypto, things like this are some of the least of my concerns.

And, I know I have said this before, but I'll put it out there again.

YOUR PHONE IS NOT SECURE. DO NOT KEEP REAL AMOUNTS OF CRYPTO ON IT. YOUR PHONE SHOULD BE TREATED AS A HOT WALLET. ONLY STORE WHAT YOU CAN AFFORD TO LOOSE ON IT.

-Dave

albert0bsd

hero member

Activity: 862

Merit: 662

Quote from: rat03gopoh on October 28, 2023, 03:13:25 AM

Waiting for your update.

They already reply: https://www.talkimg.com/images/2023/10/28/T7kfl.png

Quote

Hello,

Clipboard access is used for various actions such as pasting in bitcoin addresses, paynyms, signing messages or transactions (have a look under the "Tools" menu), etc.

If you'd like to read the code, please feel free to read through our Gitlab here: https://code.samourai.io/wallet

To be honest I expected a better answer for this, their reply just sounds a generic one, they point to their repository but not the file or line that triggers this behavior.

I don’t know rick looks fake

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: FinneysTrueVision on October 28, 2023, 01:04:17 AM

They stopped using Github several years ago. I believe it was after they were acquired by Microsoft and they started censoring controversial projects and restricting users from sanctioned countries. Their code can be found on their self-hosted GitLab repository https://code.samourai.io/explore/groups

It's weird they never bother update their GitHub to mention location source code has been change and make it read only to prevent people wasting their time by creating new issue on GitHub.

Quote from: rat03gopoh on October 28, 2023, 03:13:25 AM

Quote from: FinneysTrueVision on October 28, 2023, 01:04:17 AM

I believe it was after they were acquired by Microsoft

I just found out about this, can you point me to the official announcement regarding this? That sucks if it's true, I thought they're actually spying the clipboard.

Searching on their GitHub issue, i only found out mention they no longer use GitHub at https://github.com/Samourai-Wallet/samourai-wallet-android/issues/351#issuecomment-753413373. I do not find anything on their blog and medium page.

rat03gopoh

hero member

Activity: 2212

Merit: 670

Signature designer - start @$10 - PM me!

Quote from: albert0bsd on October 27, 2023, 07:58:21 PM

I hope get some good answer from them

Waiting for your update.

Quote from: FinneysTrueVision on October 28, 2023, 01:04:17 AM

I believe it was after they were acquired by Microsoft

I just found out about this, can you point me to the official announcement regarding this? That sucks if it's true, I thought they're actually spying the clipboard. On the other hand, my short search found this news,
News snippet^[1]:

Quote

38TB of data accidentally exposed by Microsoft AI researchers ~

The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

~

1. https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers

FinneysTrueVision

sr. member

Activity: 1680

Merit: 379

Top Crypto Casino

Quote from: pooya87 on October 27, 2023, 11:39:58 PM

Quote from: albert0bsd on October 27, 2023, 07:58:21 PM

also asking to point in what file of the source code is this action done.

We can say with certainty that the Samourai Wallet software you are using on your phone is closed source considering how their repository has not been updated for ~3 years despite them releasing a lot of newer versions (last release on appstore is on Oct 6, 2023).

They stopped using Github several years ago. I believe it was after they were acquired by Microsoft and they started censoring controversial projects and restricting users from sanctioned countries. Their code can be found on their self-hosted GitLab repository https://code.samourai.io/explore/groups

I haven't reviewed their code but I assume they are accessing the clipboard as soon as the app is launched so users can quickly paste addresses and BTC amounts.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: albert0bsd on October 27, 2023, 07:58:21 PM

also asking to point in what file of the source code is this action done.

We can say with certainty that the Samourai Wallet software you are using on your phone is closed source considering how their repository has not been updated for ~3 years despite them releasing a lot of newer versions (last release on appstore is on Oct 6, 2023).

The source code is hosted elsewhere (https://code.samourai.io/wallet/samourai-wallet-android) and is up to date. Although the github page (https://github.com/Samourai-Wallet/samourai-wallet-android) does not reflect this migration, unfortunately.
We are now one step closer to finding the reason for this odd behavior. The code has many "listeners" watching the clipboard for many different reasons in a a bunch of different places.

albert0bsd

hero member

Activity: 862

Merit: 662

Quote from: rat03gopoh on October 27, 2023, 07:28:01 PM

In that picture (OP), what is it pasted?

When I saw the notification, I pasted the content of the clipboard in another application and it was a QR that I screenshot from some video (Non-crypto related).

But it can be anything, i usually have some passwords in the clipboard those passwords are in memory for some minute or two... passwordstore an open source password manager.

I already sent them an email asking the purpose of that behavior and also asking to point in what file of the source code is this action done.

I hope get some good answer from them

rat03gopoh

hero member

Activity: 2212

Merit: 670

Signature designer - start @$10 - PM me!

In that picture (OP), what is it pasted?

Quote from: albert0bsd on October 27, 2023, 06:51:33 PM

they said that samourai alerts you about private keys on the clipboard. But that still looks suspicious

Yes it can obviously recognize privatekeys and they claim to be a security measure. I can't see the point of implementing such security if the warning only appears when the wallet is opened.
I'm a bit skeptical from now on.

albert0bsd

hero member

Activity: 862

Merit: 662

Quote from: Bitcoin_Arena on October 27, 2023, 06:43:46 PM

This thread should not be on Reputations board. Perhaps wallet software is more suitable.

Ok, i will move it.

Quote from: Bitcoin_Arena on October 27, 2023, 06:43:46 PM

About watching your clipboard, that is worrying if an app just watches your clipboard minus prompting it. I thought such apps usually needed permissions to get enabled first?

Searching on google i found this:

https://www.reddit.com/r/Bitcoin/comments/8ivy4t/samourai_wallet_even_checks_your_clipboard_to/

they said that samourai alerts you about private keys on the clipboard. But that still looks suspicious

No, i think that the access to the clipboard doesn't need special permisions.

Bitcoin_Arena

copper member

Activity: 2114

Merit: 1814

฿itcoin for all, All for ฿itcoin.

Quote from: albert0bsd on October 27, 2023, 06:13:32 PM

In theory it is open source: https://github.com/Samourai-Wallet/samourai-wallet-android i am going to try to check the code. Also i am going to send an email to them.

Is it just me, or most of the activity on the Samourai wallet android repository is from 3 to 4 years ago?
Also, a number of open issues that have not been attended to. Their latest update was just this month, was not tagged in the repository. Last tagged release was on Apr. 16, 2020. I wonder why.

This thread should not be on Reputations board. Perhaps wallet software is more suitable.

About watching your clipboard, that is worrying if an app just watches your clipboard minus prompting it. I thought such apps usually needed permissions to get enabled first?

albert0bsd

hero member

Activity: 862

Merit: 662

Quote from: digaran on October 27, 2023, 06:00:42 PM

does it mean it just copied whatever was in your clipboard

The wallet just read the clipboard, i didn't touch anything to trigger that behaivor.

I didn't want to paste anything in that app at that moment.

That notification (APP NAME pasted from your clipboard) only appears when i paste something manually, but its the first time that it appear without me triggering that.

In theory it is open source: https://github.com/Samourai-Wallet/samourai-wallet-android i am going to try to check the code. Also i am going to send an email to them.

digaran

copper member

Activity: 1330

Merit: 899

🖤😏

Is it open source? If yes, who audit and reviewed the code? By pasted, does it mean it just copied whatever was in your clipboard or it just accessed the clipboard to be ready for when you want to paste an address to send coins to?

I can't tell why a wallet app which has access to your private key wants to know the content of your clipboard.

albert0bsd

hero member

Activity: 862

Merit: 662

Concerns about Samourai Wallet (Access to Clipboard without permission)

Hi guys i just want to let you know that I am deinstalling Samourai wallet from my android device, an also i am moving my utxos from that Seed to my cold wallet

Why?
I just noticed that Samourai wallet is Accessing to the clipboard with permission and without asking and without trigger..

How?
Some days ago I just activate one android option to alert me every time that an APP access to the clipboard, so when i do a long press in the touch to paste some informacion in the clipboard i get an screen notification "APPNAME pasted from your clipboard".

Almost all Apps work fine without any suspicious activity in this way, BUT i just notice that Samourai Wallet just do that at when you open it check the image:

When that notificacion pops? When I start the samourai wallet for the first time after unlock the pin screen, without doing anything else, that notification appears

What do you thing about this behaivor of that APP ?

Edit:

Looks like they do a clipboard check for your "security". In my Opnion this should be optional and only activated at the user request.

Quote from: o_e_l_e_o on October 29, 2023, 01:50:31 PM

It is checking your clipboard for any stored private keys and then warning you that you have keys on your clipboard and giving you the option to delete them.

Here is the relevant code for doClipboardCheck: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/java/com/samourai/wallet/home/BalanceActivity.kt#L1119

And here is the warning message it displays: https://code.samourai.io/wallet/samourai-wallet-android/-/blob/develop/app/src/main/res/values/strings.xml#L400

You can see from the code that it doesn't use the private key on your clipboard for anything else.

Topic: Samourai Wallet is accessing to the Clipboard without permission (SOLVED) (Read 206 times)