On Sat, Jul 26, 2014 at 9:34 AM, Perry Smith <pedz...@gmail.com> wrote:
>
> On Jul 26, 2014, at 8:26 AM, Jeffrey Walton <noloa...@gmail.com> wrote:
>
>> On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith <pedz...@gmail.com> wrote:
>>> Sorry if this is a lame question but I never understood the dangers of Copy 
>>> and Paste that the web is trying to avoid.  Can someone explain that to me?
>>>
>> Its a point of data egress. You don't want sensitive information from
>> one program scraped and egressed by another.
>>
>> The first program could be a browser and the second program could be
>> malware. In this case, the malware looks for data placed on the
>> clipboard by the browser (and hopes to get a username, password,
>> sensitive document, etc).
>>
>> Or, it could be another program with the browser scraping the data and
>> hauling it off to a site.
>
> I thought about that.  So it is not so much the Copy and Paste operations as 
> much as being able to get the content of the clipboard. ?
>
Yes, I believe so. The clipboard is a shared resource with little to
no restrictions.

One of the check boxes on a security evaluation is how a program
handles the clipboard and copy/paste (or at least the ones I used when
doing security architecture work). Its one of those dataflows that
could be part of a higher then expected data sensitivity, like a
single sign-on password.

Also, "data egress" may have been a bad choice. In this case, I think
its more about "data collection". Its hard to stop a web browser from
opening a socket ;)

Two addition clipboard features that would be nice are: (1) a "one
shot" copy/paste: delete the password from the clipboard after
retrieving it from he password manager and pasting it into a password
box; and (2) "timed" copy/paste: expire the data after 10 seconds or
so. Both should allow the legitimate use cases, and narrow the window
for the abuse cases.

Jeff

Reply via email to