Show me Your Clipboard Data!

Published: 2020-02-28
Last Updated: 2020-02-28 06:11:31 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday I've read an article[1] about the clipboard on iPhones and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).

This is true, our clipboards may contain sensitive information like… passwords, private URLs, confidential text, and man more! About passwords, many password managers use the clipboard to make the user’s life easier. You just need to paste data exported by the password manager in the password field. Some of them implement a technique to restore the content of the clipboard with previous data. This is very convenient but it is NOT a security feature. Once data has been copied into the clipboard, it can be considered as “lost” if other applications are monitoring its content.

Note that some Password managers are more "mature" and offer a browser add-on that communicates directly with the main application and bypass the clipboard.

This gave me the idea: let’s write a few lines of PowerShell to monitor the content of the clipboard on a Windows 10 host. Here is the very simple code based on Get-Clipboard[3]:

$data = Get-Clipboard;
while($true)
{
    $updated = $false;
    $olddata = $data;
    $data = Get-Clipboard;
    if ($olddata -ne $data) {
        $updated = $true;
    }

    if ($updated) {
        Write-Host “New clippboard data detected: $data”
    }
    Start-Sleep -Milliseconds 100;
}

It just grabs the content of the clipboard every 0.1 seconds and, if changed, displays the content (note that I’m just handling basic text, binary content is ignored).

Let’s run it and continue to work as usual. We see the history of all data copied into the clipboard:

New clippboard data detected: clipboard
New clippboard data detected: 563068
New clippboard data detected: 177888
New clippboard data detected: https://blog.rootshell.be/2020/02/27/sans-isc-offensive-tools-are-for-blue-teams-too/
New clippboard data detected: lwi0b!nui8hAMTlG
New clippboard data detected: 'list' object has no attribute 'keys'
New clippboard data detected: https://www.youtube.com

You can guess that we have some 2FA tokens, passwords, error messages (that are usually pasted to Google, etc).

My Windows host is virtualised and, for more ease of use, the VM is not isolated:

This means that I can copy/paste between the host and the VM. Let’s test from a shell on the host:

xavier : ~ $ whoami|pbcopy
xavier : ~ $ pbpaste
uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)

(pbcopy/pbpaste are MacOS commands to read/write the clipboard, very convenient :-)

And immediately, on my Windows VM, my scripts reacts:

New clippboard data detected: uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)

Even more interesting: I’m an Apple fan and I’ve the complete range of Apple devices, all of them are perfectly integrated…. The clipboard too! (Via iCloud). Let’s test again:

And, once data copied into the iPhone clipboard, I see in the VM host:

New clipboard data detected: Test from iPhone

By design, the clipboard is available to all processes running on the system. This mean also all potential malicious applications and malware. They don't require any special privileges to access the clipboard. Keep this in mind!

[1] https://www.securitynewspaper.com/2020/02/26/are-you-an-iphone-user-dont-copy-paste-your-card-number-or-passwords-other-apps-can-steal-your-data-from-the-clipboard/
[2] https://www.youtube.com/watch?v=tegfZNv8SBc
[3] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard?view=powershell-7

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Clipboard Data GetClipboard Leak Powershell
0 comment(s)
ISC Stormcast For Friday, February 28th 2020 https://isc.sans.edu/podcastdetail.html?id=6888

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives