Thursday, May 24, 2018

How safe/secure is the new Microsoft Cloud Clipboard

The Windows Clipboard has long been a contentious security issue for Microsoft.
The current clipboard clip is stored in plain-text in memory which available to-be read by any app and this is by design for programability, but has been a bone of contention for a long time. Many third party apps have addressed this by actively cleaning-up the clipboard after a few seconds, and store it into their own secure encrypted queue. Third party apps and the community benefit of this Windows well documented open API, but you have to be aware of the issue, and who as time for the minutiae.
For most, it’s still mentally manageable since the legacy clipboard only stored 1 clip at a time. If you copy a password, just immediately copy nonsense afterwards and you are safe. You can monitor the current clip with Clipboard viewer (clipbrd.exe) from Window 7, and trivially still works in Windows 10. Note: Chrome will marks all zipped .exe files as Dangerous, and this is not, it's unadulterated.

With the new "Cloud Clipboard", is actually the Clipboard History Viewer by using the Windows+V keyboard combination. This will be available in the next major release Fall Update 2018, but you can Windows 10 Insider Preview Build 17666. 
According to 
Bleeping Computer, this clipboard history is stored in a plain-text file;

This file is used to store the Cloud Clipboard history queue which represents a greater security risk. Since now you can attack a whole history of commands, and potential passwords.
The actually syncing of clipboard to cloud is using same mechanism as Microsoft Graph technology that powers the Timeline and subject to man-in-the-middle attacks which any HTTPS connection uses and also uses OAuth which can be subject to OAuth attacks. The Graph API sends messages as open text (JSON) via HTTPS as most systems do, and depends on SSL for it’s protection.
It’s recommended that set your Windows 10 Settings to select “Never automatically sync text that I copy” instead, you’ll have to manually choose what you want to copy to the cloud. To do so, open your Clipboard history with Windows+V, hover over an item in your clipboard history, and click the cloud-shaped “Sync to Other Devices” icon.

Lastly, according to Windows 10 Lock Screen Leaks Clipboard Contents post,
getting the current Windows 10 clip has been trivially hacked, but you have to be physically on the device to perform it.
The frighteningly simple hack goes as follows (but has been fixed recently):
1. Win+L: Lock workstation
2. Win+ENTER: Start Narrator
3. CapsLock+F1: Open Narrator Help
4. Ctrl+V: Profit!

No comments:

Post a Comment