I just noticed an unexpected behavior (potential security risk) about the integrated feature "Clipboard History": It monitors the global system Clipboard and silently records whatever you copied. Say you use some password manager (like 1Password) and have to copy a password to fill somewhere. Then Your plain password will be saved silently in the Clipboard History window and you have to restart the IDE to clear it... (I was expecting that it only monitors copy actions in code editor)

-
I just noticed an unexpected behavior (potential security risk) about the integrated feature "Clipboard History": It monitors the global system Clipboard and silently records whatever you copied. Say you use some password manager (like 1Password) and have to copy a password to fill somewhere. Then Your plain password will be saved silently in the Clipboard History window and you have to restart the IDE to clear it... (I was expecting that it only monitors copy actions in code editor)

P.S. Password may be not a good example but it applies to all sensitive information.
https://quality.embarcadero.com/browse/RSP-16410

Comments

  1. David HeffernanNovember 26, 2016 at 10:54 PM

    Of course it is. A clipboard history tool wouldn't be much use if it didn't collect everything.

    ReplyDelete
  2. Eric GrangeNovember 27, 2016 at 2:27 AM

    David Heffernan​ so you do really have confidential information on your screen you do not want others to see after all?
    Then if you do not wipe the clipboard history as you stated, that info could become visible at a later time if you bring up the clipboard history, f.i. when showing a non-confidential bit of info, even for you.
    In other words you're either never been dealing with really confidential info, or you're not really protecting that confidential info really well, or you've been trolling us all along.

    Christian Conrad​ IMHO the only safe "password" approaches are OTP ones (Google authenticator, Yubikey...) as these make leaking a password a non-issue in practice. Classic static passwords are all vulnerable at some point (if only because they need to be typed, copied and entered many times, and they need only be spied upon once to be defeated)

    ReplyDelete
  3. David HeffernanNovember 27, 2016 at 4:38 AM

    Eric Grange​ Perhaps you could address the real issue. In what way does a clipboard history program create a security vulnerability. Your so called exploits require the attacker to have either physical access or be able to execute arbitrary code. Anything you can do at that point is not a vulnerability.

    ReplyDelete

Post a Comment