Hacker News new | ask | show | jobs
by Beltalowda 1333 days ago
Are there "clipboard snoopers" out there? Or more specifically, are there clipboard snoopers that access sensitive data they couldn't also access in any other way?

It seems to me that if you can access the system clipboard you have enough access to do all sorts of stuff.
3 comments
323 1332 days ago
There are known cases of malware clipboard snoopers which replaced bitcoin addresses with attacker controlled ones, so if you copy/pasted an address to send bitcoin to, you would end up sending it to the attacker.

https://techcrunch.com/2018/07/03/new-malware-highjacks-your...

link
imiric 1333 days ago
> Are there "clipboard snoopers" out there?

I haven't run into any (that I know of), but it's trivial to write such a program.

> are there clipboard snoopers that access sensitive data they couldn't also access in any other way?

There's no such thing as a 100% secure system, but removing one of the most vulnerable attack vectors is a huge improvement in and of itself.

> It seems to me that if you can access the system clipboard you have enough access to do all sorts of stuff.

Not quite. Currently all applications have unrestricted access to the clipboard. Accessing decrypted credentials in a password manager is only possible by the authorized user, and this can be restricted in a number of ways. Maybe we need a stricter permission system for clipboard access, but I would argue we need to stop using the clipboard for exchanging sensitive data between applications.

link
Beltalowda 1333 days ago
It's indeed trivial to write such a thing, and given that none seem to exist it doesn't seem like it's really a practical security issue IMHO.

I think a permission system for the clipboard would be pretty awkward UX, and not really worth the effort for the (hypothetical) problem it's solving.

link
jdsnape 1333 days ago
Yes - for example https://github.com/slyd0g/SharpClipboard

This is designed to work with CobaltStrike, which is a tool used by security testers (i.e. redteams), but also by real life adversaries as well.

link
Beltalowda 1333 days ago
So has anyone every used that as an attack vector? Some proof-of-concept code is not hard to write.
link
jdsnape 1332 days ago
yes - see https://attack.mitre.org/techniques/T1115/ for a non-exhaustive list
link