3

This is an operating system agnostic question. We are recommended to use password managers which encourage us to copy and paste our passwords. What protections exist if any to say a malicious website in another tab copying clipboard content?

  • You just have to rely on the password manger reliably cleaning the clipboard after a reasonable timeout. – multithr3at3d Apr 29 '18 at 16:11
  • 1
    @multithr3at3d If a malicious website in another tab has access to the clipboard for even a second a quick clear of the clipboard isn’t going to make a difference. –  Apr 29 '18 at 16:20
  • Most good password managers have a way to enter password without copying to clipboard. This is usually called something like [AutoType in KeePass](https://keepass.info/help/base/autotype.html). Additionally, you can install browser plugins that will read the password directly from the password manager, after verifying it's in the correct site based on the page's URL. – Lie Ryan Apr 30 '18 at 23:37

2 Answers2

3

What protections exist if any to say a malicious website in another tab copying clipboard content?

This is handled at the web browser level. There is no API by which a webpage can read the clipboard without explicit user interaction *. It would only be possible with a browser exploit, in which case you would probably have bigger problems.

* Obsolete IE versions had an option where this could be enabled, but it was not enabled by default.

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
  • 1
    Agreed. There is rarely any protection for the clipboard outside a web context. As a feature that demonstrates the lack of protection, the GPG KeyChain GUI app that comes with GPG Suite for macOS actually watches the clipboard and prompts you if you want to import a public key when it sees one on the clipboard. I've seen other applications do the same when you copy a registration key for the app to the clipboard, asking if you want to register the app with that key. – nbering Apr 29 '18 at 17:30
  • 99% true, but note that older flash and IE can get user-less clipboard access. – dandavis Apr 30 '18 at 22:51
  • @dandavis Good point on IE. AFAIK, Flash could only write to the clipboard though. Reading was only possible via Flash in desktop AIR application. – Alexander O'Mara Apr 30 '18 at 22:56
  • well there is a [getData()](https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html#getData()) function, not sure if it was nerfed pre-10 or not, so i mention it... – dandavis Apr 30 '18 at 22:58
  • @dandavis I'm pretty sure the "Flash Player requires that the `getData()` be called in a `paste` event handler." restriction always applied. It would have been a pretty serious blunder if not. – Alexander O'Mara Apr 30 '18 at 23:03
2

There are a couple assumptions being made in your question. First, the OS does not protect the clipboard. Text there is in memory until overwritten. It's not meant to be a sensitive process that requires protection from different processes under the same user context.

Secondly, even though your question is meant to be OS agnostic, by necessity, it is required to be aware of how various password managers work. Some managers copy to the clipboard then overwrite the clipboard entry after a few seconds. Some do not use the clipboard, and some use alternate methods of automatically entering the password into fields.

If you mean that the user copy/pastes from a source (password manager, text file, etc.) then the user needs to manage this problem themselves.

Third, if there is malware running in "another tab" that can read user memory or the memory space of another tab, then there are much bigger problems to worry about than protecting clipboard memory.

schroeder
  • 123,438
  • 55
  • 284
  • 319