FRESH

Hacker News

Home

Show HN: I built a universal clipboard that syncs realtime on multiple devices

38 points by imgopaal

by Retr0id

2 subcomments

I inspected the HTTP requests and this is absolutely not E2EE. Clipboard contents are POSTed as plaintext to https://www.quickclip.space/api/encrypt, and can be decrypted later via https://www.quickclip.space/api/decrypt
Encryption appears to be in the openssl "Salted__" format (and base64 encoded). I can't infer the actual encryption algorithm configured, but it's an unauthenticated block cipher with 128-bit blocks, presumably in CBC mode, padded with PKCS7.
Additionally, the same encryption key (whatever it is, I can't see it since it's stored on the server) is shared across all users (I tested this by decrypting a ciphertext from one account on a second account).

by yoavm

1 subcomments

For those of us on Linux, I've built clapboard - a lightweight clipboard manager that uses whatever dmenu-like system for GUI, and plain files as a storage backend. Because all the history is just files, you can easily sync it between devices with a tool like syncthing. Probably a bit more slower than 0.1s though!
https://github.com/bjesus/clapboard

by sudopsuedo

2 subcomments

https://www.quickclip.space/data-deletion
.>client apps are not open source
.>data-deletion page seems to imply servers are storing images/files copied to the clipboard
.>"end-to-end encrypted" in the marketing materials.

by ValdikSS

3 subcomments

KDE Connect does that in LAN. Clipboard sync, file transfer, contacts, calls, remote control, etc.

by ax0ar

1 subcomments

Cool. I just wouldn't use it at all in its current form without more information on how you handle my data.
Why should users trust you?

by shinycode

2 subcomments

I did something similar with Claude code, I did not write a single line of code and it’s hosted on cloudflare workers. With the free tier it’s enough for one person (and I feel safer to own and host my private data). Works beautifully. Your website does not show how it works, no screenshots, it would be better with it

by Terretta

0 subcomment

So, real time unencrypted pastes of password manager MFA digits from active user device to CC server? Cool cool.
This is definitely not 1/2 of a smishing toolkit pretending to be a convenience utility.

by semyonsh

1 subcomments

The website does not show anything on how the product is used, which is kind of important for me as a potential customer. Especially if it's going to be effectively handling my copy/pasting of sensitive information.
Does it use some client, what do I need to install on my devices (if supported) and what permissions does it need etc? Instead I'm greeted by a login page.
It's not transparent enough for me how the product is used before signing up and that's a huge turn off.

by imgopaal

2 subcomments

Thank you to everyone who took the time to review QuickClip and give honest feedback. I spent the day going through everything and fixing the issues that were pointed out, especially around security.
You were right. The concerns were valid, and they’re now addressed.
1. Shared encryption key (Retr0id's main issue): Problem: All users shared one encryption key, so any user could decrypt any other user's data. Fix: Each user now has a unique encryption key derived via PBKDF2 from master key + user ID (10,000 iterations). Old items encrypted with the shared key are detected during decryption and automatically re-encrypted in the background with the new per-user key. Backward compatibility is maintained during the migration.
2. Public image access (Retr0id's second issue): Problem: Images were publicly accessible without authentication. Fix: Images now use signed URLs that expire after 1 year. The app automatically converts any public URLs to signed URLs. Storage bucket policies restrict access to user-specific folders.
3. Storage enumeration (foltik's issue): Problem: Could enumerate all user uploads with a sign-up token. Fix: Storage policies now restrict folder access by user ID. Still reviewing listing permissions to prevent enumeration.
4. E2EE misrepresentation: Problem: Marketing claimed "end-to-end encrypted" but it wasn't true E2EE. Fix: Added a /data-security page that explains: It's server-side encryption with per-user keys, not true E2EE Why server-side encryption was chosen (seamless cross-device sync)
5. Transparency issues: Problem: No information about how data is handled before signup. Fix: Added /data-security page with details. Link added to footer. Removed the footer joke that hurt trust.
6. Other fixes: Rate limits adjusted for encryption/decryption operations Background re-encryption for old items Proactive signed URL conversion for images What's still being worked on: Storage bucket listing permissions (enumeration prevention) Adding screenshots to landing page FAQ section Considering open source (evaluating) I appreciate the security review. The app is more secure now, and I'm committed to transparency about what it does and doesn't do. Check /data-security for the full explanation.

by nottorp

1 subcomments

Funny, i want Apple to STOP synchronizing my clipboard between devices. I'm doing different things on them and I don't need the last piece of code on my desktop to paste in the 'where do we go out tonight' chat on whatsapp on my phone.
If I do want to move some info i'll message it to myself thank you.

by phireal

1 subcomments

KDE Connect works fine for me and does more than clipboard (files, mouse sharing etc.).

by zekejohn

2 subcomments

i know a gemini 3 site when i see one lol, looks good tho! Does this work if you copy an image on your phone/laptop, will it sync to the other device?

by dailen

1 subcomments

So I just wanted to take a moment and say nice work I have a solution that works for me at the moment, although I should check if it's e2ee, but this is a great example of a simple SaaS that could really catch on and meet the niche needs of users. I like the design, I like the implementation, and I really like the price. Everyone and their 3rd cousin charges $5/month for for simple functions which I usually just pass on but yours is a great price point for the job.
Will definitely repost on social media!

by baobun

0 subcomment

> For Developers
Would you mind sharing the source code?
> Copy API keys
...yeah, I think that'd be a hard requirement. I don't think there is value in a cliboard-as-a-SaaS that is not self-hostable or even auditable.
I think you are putting the cart before the horse and putting your users at risk by integrating credit card payments before sorting out the basics.

by r0xsh

0 subcomment

Closed source ? i mean thanks for the project but not for me

by sixtyj

2 subcomments

Copy API keys
I would add examples how data encryption works. This is so sensitive topic. But if you explain it nicely, people could use the service.
I would add FAQ. Boxes seem like I can read more but I can’t.

by jzellis

1 subcomments

I sync my history between Fire/Waterfox on my phone and laptops, and since almost anything I wanna copy and paste is in the browser, I just open whatever it is from Other Devices. For files or images, I use LocalSend now for everything.
Which is not to say there's not a big use case for this, but speaking only for myself, it's not a pain point. But it looks cool!

by janandonly

1 subcomments

I forgot that this was a problem for some. I’ve been op iPad iPhone and macOS for too long it guess.

0 subcomment

by yablak

0 subcomment

See also Push Go: https://chromewebstore.google.com/detail/push-go-for-pushbul...
... works with Pushbullet apps.

by Someone

1 subcomments

> Would honestly love to hear, how you move stuff between devices today
In cases where iOS/macOS misbehave, I use (IMAP) email without sending anything:
- create new mail message
- paste text or add attachments
- save as draft
- open draft on other device
- copy out the data
- delete draft
Works reliably for not-too-large items