On Sat, Jul 26, 2014 at 9:34 AM, Perry Smith <pedz...@gmail.com> wrote: > > On Jul 26, 2014, at 8:26 AM, Jeffrey Walton <noloa...@gmail.com> wrote: > >> On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith <pedz...@gmail.com> wrote: >>> Sorry if this is a lame question but I never understood the dangers of Copy >>> and Paste that the web is trying to avoid. Can someone explain that to me? >>> >> Its a point of data egress. You don't want sensitive information from >> one program scraped and egressed by another. >> >> The first program could be a browser and the second program could be >> malware. In this case, the malware looks for data placed on the >> clipboard by the browser (and hopes to get a username, password, >> sensitive document, etc). >> >> Or, it could be another program with the browser scraping the data and >> hauling it off to a site. > > I thought about that. So it is not so much the Copy and Paste operations as > much as being able to get the content of the clipboard. ? > Yes, I believe so. The clipboard is a shared resource with little to no restrictions.
One of the check boxes on a security evaluation is how a program handles the clipboard and copy/paste (or at least the ones I used when doing security architecture work). Its one of those dataflows that could be part of a higher then expected data sensitivity, like a single sign-on password. Also, "data egress" may have been a bad choice. In this case, I think its more about "data collection". Its hard to stop a web browser from opening a socket ;) Two addition clipboard features that would be nice are: (1) a "one shot" copy/paste: delete the password from the clipboard after retrieving it from he password manager and pasting it into a password box; and (2) "timed" copy/paste: expire the data after 10 seconds or so. Both should allow the legitimate use cases, and narrow the window for the abuse cases. Jeff