System Clipboard Enabled

System Clipboard Enabled

Overview of the Vulnerability

Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When the system clipboard is enabled, sensitive user data, such as passwords, can be unknowingly stored on the mobile device.

An attacker could abuse the system clipboard being enabled to steal sensitive information that a user copied to their clipboard from within the application. With access to this sensitive data they could perform further attacks on the application, the business, or its users.

Business Impact

This vulnerability can lead to reputational damage as customers may view the application as insecure.

Steps to Reproduce

  1. Install the application on your mobile device

  2. Navigate to {{url}} and copy some sensitive account information

  3. Paste this data in some other area of your mobile device and observe that access to the clipboard was enabled in the application

Proof of Concept (PoC)

The screenshot below shows the mobile security misconfiguration:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For this finding, please include a video of sensitive information being copied to the clipboard inside the application, and the same information being pasted somewhere else to show that it was successfully copied.

Attempt to abuse the system clipboard being enabled by showing that a malicious application with clipboard access could use the information in some impactful way. If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

It is recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should also be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.

For further information, please refer to: https://owasp.org/www-project-mobile-top-10/

PreviousAuto Backup Allowed by DefaultNextSSL Certificate Pinning

Last updated