|
|
|
|
|
|
by imiric
1330 days ago
|
|
|
> If you have malicious software running on your system, all bets are off. I think that's a common and lazy response to many security issues. There are _many_ ways in which a nefarious script or program can run in a "secure" environment and wreak havoc. Think NodeJS or Python scripts, which are typically downloaded from untrusted sources and ran blindly by most people as their own (hopefully) unpriviliged user. > There are many ways it could steal your passwords, since desktop OSes don't sandbox apps like mobile OSes do. Well, sure, but isn't securing this one major IMO attack vector an improvement over not doing anything about it? I don't follow this defeatist logic of "well, if you're already running malicious software, you're SoL". Besides, this clipboard issue is also a problem on mobile OSs, since all apps share a global clipboard. Unless some app-specific workarounds are implemented, as mentioned elsewhere in the thread. |
|
|
Unfortunately securing this attack vector is costly - in the sense of annoying the user with prompts and access grants.
This is why even on mobile as you noticed, only browsers require user confirmation before allowing webpages access to the clipboard.
You could maybe do something in between, like not allowing clipboard access to processes which don't have a foreground window visible to the user.
But in practice, this attack vector is not exploited. If you are targeted, it's much more likely that a specific attack against the password manager is used, since it will extract ALL passwords, and not need to wait for one to show up in the clipboard:
> KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%
https://github.com/denandz/KeeFarce