SANS ISC: Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

Internet Storm Center

Yesterday I've read an article[1] about the clipboard on iPhones and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).

This is true, our clipboards may contain sensitive information like… passwords, private URLs, confidential text, and man more! About passwords, many password managers use the clipboard to make the user’s life easier. You just need to paste data exported by the password manager in the password field. Some of them implement a technique to restore the content of the clipboard with previous data. This is very convenient but it is NOT a security feature. Once data has been copied into the clipboard, it can be considered as “lost” if other applications are monitoring its content.

Note that some Password managers are more "mature" and offer a browser add-on that communicates directly with the main application and bypass the clipboard.

This gave me the idea: let’s write a few lines of PowerShell to monitor the content of the clipboard on a Windows 10 host. Here is the very simple code based on Get-Clipboard[3]:

$data = Get-Clipboard;
while($true)
{
    $updated = $false;
    $olddata = $data;
    $data = Get-Clipboard;
    if ($olddata -ne $data) {
        $updated = $true;
    }

    if ($updated) {
        Write-Host “New clippboard data detected: $data”
    }
    Start-Sleep -Milliseconds 100;
} 

It just grabs the content of the clipboard every 0.1 seconds and, if changed, displays the content (note that I’m just handling basic text, binary content is ignored).

Let’s run it and continue to work as usual. We see the history of all data copied into the clipboard:

New clippboard data detected: clipboard
New clippboard data detected: 563068
New clippboard data detected: 177888
New clippboard data detected: https://blog.rootshell.be/2020/02/27/sans-isc-offensive-tools-are-for-blue-teams-too/
New clippboard data detected: lwi0b!nui8hAMTlG
New clippboard data detected: 'list' object has no attribute 'keys'
New clippboard data detected: https://www.youtube.com

You can guess that we have some 2FA tokens, passwords, error messages (that are usually pasted to Google, etc).

My Windows host is virtualised and, for more ease of use, the VM is not isolated:

This means that I can copy/paste between the host and the VM. Let’s test from a shell on the host:

xavier : ~ $ whoami|pbcopy
xavier : ~ $ pbpaste
uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)

(pbcopy/pbpaste are MacOS commands to read/write the clipboard, very convenient :-)

And immediately, on my Windows VM, my scripts reacts:

New clippboard data detected: uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)  

Even more interesting: I’m an Apple fan and I’ve the complete range of Apple devices, all of them are perfectly integrated…. The clipboard too! (Via iCloud). Let’s test again:

And, once data copied into the iPhone clipboard, I see in the VM host:

New clipboard data detected: Test from iPhone

By design, the clipboard is available to all processes running on the system. This mean also all potential malicious applications and malware. They don't require any special privileges to access the clipboard. Keep this in mind!

[1] https://www.securitynewspaper.com/2020/02/26/are-you-an-iphone-user-dont-copy-paste-your-card-number-or-passwords-other-apps-can-steal-your-data-from-the-clipboard/
[2] https://www.youtube.com/watch?v=tegfZNv8SBc
[3] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard?view=powershell-7

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key