Name |
Collect Data from Clipboard |
|
Likelyhood of attack |
Typical severity |
Low |
Low |
|
Summary |
The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized. |
Prerequisites |
The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Find an application that allows copying sensititve data to clipboad] An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data |
|
2 |
Experiment |
[Target users of the application] An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic |
- Install malware on a user's system designed to log clipboard contents periodically
- Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard
|
3 |
Exploit |
[Follow-up attack] Use any sensitive information found to carry out a follow-up attack |
|
|
Solutions | While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality. Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-267 |
Privilege Defined With Unsafe Actions |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-150 |
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1115 |
Clipboard Data |
|