Is it possible for a third party app to access macOS's clipboard content? I am asking in relation to copy & paste sensitive data such as passwords and sensitive file content.
Asked
Active
Viewed 8,823 times
2 Answers
20
No security for data that is in one of the system clipboards is possible by design. This appears to be changing with 2020 features in publicly announced betas where Apple potentially will notify us each time an app copies content out of the clipboard. Some very common apps appear to be abusing the privilege and even if your password manager clears the contents quickly, this could easily be abused to steal keystrokes and passwords or other sensitive data.
The macOS clipboard is a public billboard open to all processes. Clipboard is the mechanism to let all apps read / modify shared data.
Practically you can Either restrict your set of apps installed to those you trust with the data you put in the clipboard or don't restrict sensitive content by never placing it into the clipboard so that the least trusted app only gets data you can permit it to see / log / capture / exfiltrate.
From here, the rabbit hole for developers and security minded people using macOS begins with an overview of secure text input options within programs to prevent key loggers in addition to pasteboard snoopers from grabbing secure input:
- Technical Note TN2150: Using Secure Event Input Fairly
- insecure keyboard entry - a blog post by Daniel Jalkut
- How secure is “Secure Keyboard Entry” in Mac OS X's Terminal?
- https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/
There are some things you can do, however, to mitigate this. Freely available and trustworthy software can show you event taps, key loggers, exfiltration and just communication attempts so you can catch a program that might do things you don’t expect.
ReiKey and LuLu are two I would start with to secure yourself and thereby your clipboard contents.
bmike
- 235,889
-
what are other easy ways to copy passwords from some place to a browser field for example? besides always typing them by hand – Display Name Apr 20 '17 at 12:32
-
3@SargeBorsch That's what password managers are for, generally. I expect there are safe password managers for Mac OS; though I also expect that applications with the same or higher level of permissions could intercept their methods as well. – Luaan Apr 20 '17 at 12:58
-
@Luaan but do you know specific examples? besides these popular but proprietary applications, which are created to harvest passwords. – Display Name Apr 20 '17 at 13:02
-
@SargeBorsch Nope, not really my field of interest. But it's obvious that this kind of thing requires trust :) – Luaan Apr 20 '17 at 13:05
-
@Luaan free software doesn't require trust, it can be inspected. – Display Name Apr 20 '17 at 13:06
-
6@SargeBorsch - Even unintentional security flaws go unnoticed in open source, much less actual malicious backdoors and trojans. The notion that any old user is capable of inspecting the code of any nontrivial piece of software they use, then build it on their machine once it's known to be safe - after doing so for the compiler, of course - is flat out ridiculous, and contradictory to actual practice. (I.e. using package repositories with signed packages, meaning you implicitly trust a distribution's contributors to take care of this for you.) – millimoose Apr 20 '17 at 19:36
-
4@SargeBorsch: See Ken Thompson's incredibly brilliant (and frightening) Turing Award acceptance speech / lecture and the discussion thereof on the wiki. – Jörg W Mittag Apr 21 '17 at 00:19
-
@JörgWMittag yeah, interesting point. But it mostly applies to compilers. Or that an application authors secretly teamed up with compiler authors to make use of a hidden compiler glitch to produce harmful code without being detected. – Display Name Apr 21 '17 at 04:27
-
@Luaan OSX Keychain keeps track of passwords and decides which apps have access to which passwords. I doubt a malicious program could compromise it without root access. – Brian McCutchon Apr 21 '17 at 04:46
-
@BrianMcCutchon Which falls under "the same or higher level of permissions". There's not a lot of other ways to do things... – Luaan Apr 21 '17 at 08:06
-
@SargeBorsch: It applies to everything that processes programs: a compiler, an assembler, a linker, a loader, the OS kernel, the CPU, you name it. And it doesn't require cooperation from the program's author. That's the genius, nefarious, and frightening part: you can't detect the hack, because it doesn't have to exist where the hack takes place. – Jörg W Mittag Apr 23 '17 at 13:21
-
1@JörgWMittag how is that related to password managers? Are you trying to prove that since OS, CPU, compilers, etc may be hacked, the quality/availability of other software's source code doesn't matter? – Display Name Apr 23 '17 at 15:54
-
Isn't this a gaping security risk for people who use password managers like LastPass? It's one thing to say "don't install software you don't trust", but a lot of measures have been implemented recently—SIP, TCC, etc—to make sure standard apps can't steal sensitive info, despite their cost to overall UX. An unrestricted clipboard basically negates all of those measures for anyone using a password manager. My passwords, IMO, are more sensitive than anything else on my machine, by far. – Wowfunhappy Nov 27 '18 at 19:15
-
1@Wowfunhappy A plain text password means you have to secure physical access to your Mac and trust all apps that read the clipboard. If your threat model is you don't trust your apps and your access - you need to use UBIKEY or multi factor auth and assume the password will leak. Everything is a risk and if it's wide open depends on your specific threat model. – bmike Nov 27 '18 at 21:28
7
Any process with sufficient permissions can read your clipboard at any time, and you can't easily prevent this. Security is always a trade-off with usability, and this is the choice that most (but not all) OSes take when implementing the clipboard.
Some apps that store sensitive data (e.g. 1Password) implement a timeout such that any information you copy out of that application is cleared from the clipboard a short time later. If you'd like to do something like that globally, you could look at the answers to this previous question for ideas.
calum_b
- 5,921
- 30
- 37
-
1Great point that by clearing known sensitive content on a timer, you limit the time frame where a less trusty process can be launched and snoop on text from the clipboard. This also lessens the risk someone would walk away from a computer and have the password to paste hours later into twitter or other social media. – bmike Apr 21 '17 at 02:54