*** This bug is a security vulnerability *** Public security bug reported:
Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says "Pasted from clipboard" and then fades out)-- this should be as unobtrusive as possible. ** Affects: content-hub (Ubuntu) Importance: High Status: New ** Affects: mir (Ubuntu) Importance: High Status: New ** Affects: unity8 (Ubuntu) Importance: High Status: New ** Tags: application-confinement ** Summary changed: - information disclosure: clipboard contents can be leaked to other applications + information disclosure: clipboard contents can be obtained in the background ** Also affects: mir (Ubuntu) Importance: Undecided Status: New ** Also affects: content-hub (Ubuntu) Importance: Undecided Status: New ** Changed in: content-hub (Ubuntu) Importance: Undecided => High ** Changed in: mir (Ubuntu) Importance: Undecided => High ** Changed in: unity8 (Ubuntu) Importance: Undecided => High ** Description changed: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. + + Ideally this would be handled via wholly user-driven interactions. While + this could be achieved via keyboard driven interactions, it is difficult + with toolkit driven interactions (ie, 'Paste' from a menu is necessarily + a pull operation). One idea is not to block access but instead make + users aware of the clipboard access (eg, an overlay that says "Pasted + from clipboard" and then fades out)-- this should be as unobtrusive as + possible. ** Tags added: application-confinement ** Information type changed from Public to Public Security ** Summary changed: - information disclosure: clipboard contents can be obtained in the background + information disclosure: clipboard contents can be obtained without user knowledge -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unity8 in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says "Pasted from clipboard" and then fades out)-- this should be as unobtrusive as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/content-hub/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp