1

Let's say I'm working in application A and copy some sensitive data to clipboard. Can application B which is opened at the moment catch the information I've copied?

Does OS X protect from such vulnerabilities?

Update: To be more specific what if I copy a password from a password manager, is the pass accessible for all the apps while it is in clipboard? If so how password managers protect a user in this case?

Sasha Shpota
  • 795
  • Protect from what? Using the clipboard to paste a password into an login page is standard behavior of typical password managers. – nohillside Jan 28 '18 at 19:37
  • Each password manager is different but the best ones (i.e. 1Password) have a setting allows you to set the amount of time a password will be available on the system's clipboard. After that amount of time, the application will overwrite the clipboard, thus erasing the password that was there. – fsb Jan 28 '18 at 19:41
  • @patrix I meant is it possible that third app will somehow steal the password during the short time between the moment when a user copied it and the moment when he pasted and cleared the buffer. – Sasha Shpota Jan 28 '18 at 19:43
  • @fsb so do the other managers. But theoretically is that possible that during the 10 seconds interval while the pass is in clipboard another app steals it? – Sasha Shpota Jan 28 '18 at 19:45
  • 1
    Yes. Theoretically and practically. – nohillside Jan 28 '18 at 19:52
  • Sure, theoretically it's possible if you have installed another application that you've allowed to stay active in the background and constantly scan the system clipboard (to get the password during that 10 second interval). – fsb Jan 28 '18 at 19:55
  • @fsb The question is about macOS, any app/daemon can continuously read the clipboard (ey, one could even write a shell script to do so) – nohillside Jan 28 '18 at 20:09
  • @patrix Correct, my point being that the OP would have to install an app (or install/write a script) to continuously read the keyboard and then know what's an actual password compared to anything else that's on the clipboard. On the Mac, I believe 1Password uses their Browser Extension which, I've read on AgileBits but don't recall the page, bypasses the clipboard entirely. – fsb Jan 28 '18 at 20:46
  • Also relevant is a clearing process - https://apple.stackexchange.com/questions/55146/is-there-an-easy-way-to-clear-empty-the-clipboard – bmike Apr 21 '20 at 22:10

2 Answers2

3

This is not a vulnerability per se.

The clipboard is accessible system wide which is why you can copy something from application A and paste it to application B.

It's not meant nor does it function as a secure holing area.

If an application has sensitive data fields, it is up to the developers to block clipboard access to the data. For all intents and purposes, once info is in the clipboard, it's accessible.

As a test and demo, copy your password from your password manager. Open terminal and type the command pbpaste. It will output the password that's residing in your clipboard.

Allan
  • 101,432
1

It's probably worth stating that having any app on your system which you do not trust is not advisable.

As others have already mentioned (and this post is old, so this benefits only those who stumble upon it later), there are ways in some password managers (I'm familiar with 1Password, personally) that can remove that item from your clipboard after a predetermined period of time. However, beyond that concern, I would seriously question the idea of running an app for which you do not have a certain level of trust. If you have any doubts, that's the first thing I'd resolve.

Jeremy
  • 63
  • 1
    Here’s a script to clear your clipboard - https://apple.stackexchange.com/questions/55146/is-there-an-easy-way-to-clear-empty-the-clipboard – bmike Apr 21 '20 at 22:11