Hacker News new | ask | show | jobs
by itsananderson 1790 days ago
If an attacker is on your device, they very likely have access to your clipboard, so how is that more secure? I cringe whenever my password manager's autofill fails and I have to fall back to copy/pasting, because I know that I'm now storing my password in system memory in plaintext. Most password managers clear the clipboard after some timeout, but that's hardly helpful against an on-device threat
2 comments
emodendroket 1790 days ago
If the attacker has access to your device, you're going to be severely compromised no matter what you do. Why pretend otherwise?
link
itsananderson 1790 days ago
True, if an attacker has control of your device you are probably screwed anyway, but there are still different degrees of screwed. There are more and less privileged portions of your system, and keeping sensitive data to less secure areas is still not a great idea. With browsers offering clipboard access as a JavaScript API, it is definitely an area I would consider less well secured than, say, read protected memory or a process-isolated browser extension sandbox.
link
emodendroket 1790 days ago
Fair point, but I don't think you can _read_ the contents of the system clipboard, can you? I thought you could set it but had to wait for a paste event to read it.
link
itsananderson 1790 days ago
It requires a permission request, but yes there's a browser API to read the clipboard contents https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/r...
link
partido3619463 1790 days ago
On iOS and Mac the clipboard is readable to all apps without interaction. (Eg slack allows login on Mac desktop by copy/pasting text from the browser. Chrome on iOS will auto paste from clipboard to show a target url)
link
blockarchitech 1790 days ago
Both of you're statements are valid. If an attacker has access to your device you are *severely* compromised and you can't do much. I am going off the idea that your password manager clears your clipboard history however, but this is a valid and true statement. The thing is: nothing will be 100% secure. Ever. But if we evolve our security at the same rate loopholes, etc are being found, we can prevent data breaches, identity theft, etc. Before it even happens.
link
emodendroket 1790 days ago
I guess my feeling is that doing something like this when your machine is already compromised is a little like putting your key under the welcome mat instead of leaving it plainly visible. Perhaps for the very incurious attacker they won't get around it but it's not much effort to find.
link
senectus1 1790 days ago
yeah, on a win10 device hold the windows key and tap v

there is your copy paste history in plain text.

link