On 24.01.2012 19:18, Mario Vilas wrote: > You're reporting that if you copy and paste sensitive information and > connect to a VNC session your clipboard data gets sent to the remote > machine. That's pretty obvious
If I have a VNC window somewhere on my desktop (in my case a virtual desktop or minimized), and continue with my work, 3 hours later when I work on some document or use some webapp, I don't remember that I have VNC session open and no, it's not obvious at all that this other host can read the communication between my local apps. > On top of that, the attack scenario doesn't sound too good either. I > fail to see why would you need to copy&paste a password to access an > untrusted machine and then worry that machine might get to see the > password to itself. You misunderstood. The remote machine can see *any* clipboard entries, even if I do something entirely different in a completely different application. I am browsing or using SSH and paste my password there, because the FF password manager failed, or I'm in a word processor or email app and write some document, which is entirely unrelated to the VNC session. I haven't looked at the VNC host since hours (but I have it constantly open for tasks that I need to do with untrusted software in a jail). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
