[323]

> which is accessible by any application that asks for it

If you have malicious software running on your system, all bets are off. There are many ways it could steal your passwords, since desktop OSes don't sandbox apps like mobile OSes do.

Just one example: you send the password securely to Chrome, but the malicious app just reads the login session cookie from the Chrome user profile files.

Having a secure way of sending a password to an app would indeed be a defense in depth, but fundamentally the system is broken since all apps run with the same permission as the user, thus they can interfere with each other.

[imiric]

> If you have malicious software running on your system, all bets are off.

I think that's a common and lazy response to many security issues. There are _many_ ways in which a nefarious script or program can run in a "secure" environment and wreak havoc. Think NodeJS or Python scripts, which are typically downloaded from untrusted sources and ran blindly by most people as their own (hopefully) unpriviliged user.

> There are many ways it could steal your passwords, since desktop OSes don't sandbox apps like mobile OSes do.

Well, sure, but isn't securing this one major IMO attack vector an improvement over not doing anything about it? I don't follow this defeatist logic of "well, if you're already running malicious software, you're SoL".

Besides, this clipboard issue is also a problem on mobile OSs, since all apps share a global clipboard. Unless some app-specific workarounds are implemented, as mentioned elsewhere in the thread.

[323]

> isn't securing this one major IMO attack vector an improvement over not doing anything about it

Unfortunately securing this attack vector is costly - in the sense of annoying the user with prompts and access grants.

This is why even on mobile as you noticed, only browsers require user confirmation before allowing webpages access to the clipboard.

You could maybe do something in between, like not allowing clipboard access to processes which don't have a foreground window visible to the user.

But in practice, this attack vector is not exploited. If you are targeted, it's much more likely that a specific attack against the password manager is used, since it will extract ALL passwords, and not need to wait for one to show up in the clipboard:

> KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%

https://github.com/denandz/KeeFarce

[imiric]

> Unfortunately securing this attack vector is costly - in the sense of annoying the user with prompts and access grants.

You're making assumptions about what the implementation would be. There are many ways the UX could be unobtrusive. Besides, I'm not even proposing that the solution should be to restrict access to the clipboard. I'm just saying that there should be a secure channel between apps provided by the OS that can be used for these purposes. Designing and implementing that would be costly, sure, but I'm not an OS designer, and merely speaking what I would like to see as a user.

> But in practice, this attack vector is not exploited.

Of course it is[1]. It's not even an exploit, but an abuse of a glaringly insecure OS feature.

> If you are targeted, it's much more likely that a specific attack against the password manager is used

Again, why are you minimizing this clearly easy to abuse OS feature by comparing it to much more sophisticated exploits? Yes, there are other attack vectors. This thread is specifically about how the clipboard is trivially abused.

[1]: https://news.ycombinator.com/item?id=33330035

[323]

> Again, why are you minimizing this clearly easy to abuse OS feature by comparing it to much more sophisticated exploits

You need to think like an attacker. If you gained a foothold on a machine, maybe for a limited time, do you wait until the user happens to login to their banking site by copy pasting the password, or do you comb the machine for everything valuable - files, cookies, password manager databases, ...

If you are sniffing the clipboard you are actively malicious, but then you limit yourself to low gains?

Note that most of the trojans listed in your link are fully featured, sniffing the clipboard is one of the many attacks in their menu.

You are right that it is an attack vector, but it's not a particularly bad one. Microsoft did implement various restrictions which annoy the user, and did implement some protections against common attacks - ransomware file protection, but did nothing regarding the clipboard. Which means that in their cost/benefit analysis it did not stick out as a priority.