System Clipboard Leak
System Clipboard Leak
Overview of the Vulnerability
The system clipboard, used when performing a copy and paste function, leaks sensitive information. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application.
Business Impact
This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users.
Steps to Reproduce
Create and install the following malicious application capable of accessing the clipboard: {{malicious application}}
Log in to {{application}}
Navigate to the following endpoint: {{value}}
Copy some sensitive information to the clipboard
Within the malicious application, observe the sensitive information through the clipboard
Proof of Concept (PoC)
The screenshot(s) below demonstrates the leak from the system clipboard:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For this finding, please include a video of sensitive information being copied to the clipboard by some application which is then stolen by another malicious application that has access to the clipboard.
Attempt to abuse the clipboard shared link leak further by attempting to use the shared link to perform additional actions (such as an account takeover or secret key exposure). If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
All clipboard data that may contain sensitive information should be stored in a temporary and local only location on a user’s machine. Sensitive data should not be included in a clipboard history or any type of cloud-based clipboard program.
Last updated