| ▲ | mtlynch 4 days ago | |
>Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless. Webpages can't read clipboard history, so this wouldn't apply. I was responding to your guidance to clear your clipboard history after copying a password. >The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. But clearing your clipboard after pasting passwords wouldn't protect you from this attack. That was the recommendation I disagreed with. The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make. Yes, I agree. But that's why I think people should focus their energy on defending along trust boundaries.[0] There's no trust boundaries between applications running in the same user context on the same system. There is a trust boundary between a web app and local apps, so I think it makes sense to consider what a malicious web app can do (e.g., read the most recent clipboard contents), but we shouldn't lump web apps in with local desktop apps. | ||