If use one of the best Samsung phones, then you definitely should be aware of a newly discovered security flaw which affects their clipboard feature.
As pointed out by users on the US Samsung Community board, the clipboard feature saves everything you copy over – including passwords – as plain text, indefinitely.
This means if you copy over a password from one of the best password managers, it’s hanging out in your clipboard as plain text until it is manually deleted.
If you copy over any banking information, a draft of your resume, any other personal information, emails, data? It’s all there in the clipboard history, in plain text, with no expiration at all.
This turns the clipboard feature from a handy short cut into a security issue. It doesn’t matter if you’re using a third-party keyboard, or even Google's own Gboard which is known to delete clipboard text within an hour. The history of your copy/pastes is still saved under Samsung’s jurisdiction.
Why is that a security flaw? If anyone picks up your unlocked phone and checks the clipboard, all your passwords or saved information is just there waiting to be accessed. Even worse, there are plenty of malicious info-stealing trojans like StilachiRAT that are specifically designed to search through the clipboard for passwords so they can steal banking information and credentials.
Samsung moderators confirmed the flaw in the community board, and stated that there is currently no easy solution. The moderators pointed out that the users raised a valid concern and confirmed “There’s no built-in setting to auto-delete clipboard contents after a certain period, which can indeed pose a security risk.”
The moderator responding on the board also promised to forward feedback to the appropriate team, adding that they agreed that an option to auto-clear the clipboard after a set time frame, or to exclude sensitive apps from clipboard history would be “valuable enhancements.”
The clipboard feature is built into the One UI system and is part of the user interface on devices running Android 9 or later. Currently there is no option to automatically delete anything that has been copied over to the clipboard. The only option is for users to manually go in and delete anything that is sensitive information.
How to stay safe
For the time being until a fix is rolled out, it's best that you don't use the clipboard feature on your Samsung phone or tablet to handle sensitive information.
I know this seems like a major inconvenience and it definitely is. The good news though is that you can get around having to copy and paste passwords by using passkeys instead.
Unlike passwords, there's nothing to remember with passkeys as each one is a unique digital key which can't be reused. They're also stored in an encrypted format on your devices which helps keep them safe in the event of a data breach.
Since they were first introduced in 2022, more sites and services have adopted them. For instance, you can currently use passkeys with your eBay, PayPal, BestBuy and many other online services and retailers. Check out this dedicated site on passkeys to for a full list of all of the companies that now support this new passwordless authentication method.
Now that Samsung's clipboard issue has been brought to the attention of both its users and the company itself, expect the Korean hardware giant to make big changes to the next version of One UI to nip this major security issue in the bud once and for all.
Stay tuned to Tom's Guide as we'll be following this closely from a security standpoint and we'll update this article once the issue has truly been fixed.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
