Is drag-and-drop safer than using the clipboard when it comes to protecting sensitive data from keyloggers?

Question

I noticed that multiple password-locker applications recommend that you use the drag-and-drop feature to transfer passwords to login forms instead of copying the passwords to the clipboard or having the password locker type the password for you using simulated key presses. The basic argument its fairly easy for a keylogger to record key presses or to peek inside the contents of the clipboard.

I know that nothing can totally protect your data if your computer has been compromised but is it true that its harder for spyware to get the password if its transferred using drag-and-drop?

See also: https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now — CaffeineAddiction, Jun 29 '22 at 17:55

score 4 · Answer 1 · edited Jun 29 '22 at 17:41

4

Though it's better in the sense that communication is automatically between two windows (and you can hope the object disappears after it's transferred), I'm voting no¹ because:

It uses Automation, its interface is public
It's not thread-safe (so it's global)
Windows in Windows can be hooked

The only protection I saw was at the process level: you can't DnD from a non-elevated process to an elevated one (prevents shatter attacks).

¹ I don't have a Windows system to test on so I'm just referencing things that seem to disprove it.

edited Jun 29 '22 at 17:41

Glorfindel

2,235
6
18
30

answered May 11 '15 at 17:53

ǝɲǝɲbρɯͽ

429
2
8

Wait, we vote now? – CaffeineAddiction Jun 29 '22 at 17:51
I do think there's a lot of attacks that target clipboard contents these days... post-bitcoin world. From that perspective (# of exploits in the wild) I think drag/drop is safer. – pcalkins Jun 29 '22 at 22:33

Is drag-and-drop safer than using the clipboard when it comes to protecting sensitive data from keyloggers?

1 Answers1