touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #18800
[Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Description changed:
Currently, the clipboard is implemented such that all apps can access
the contents at any time. The clipboard contents should only be given to
apps based on user driven input (eg, a paste operation).
Attack scenario:
1. user launches malicious app 'baz' that polls the clipboard for contents
2. user launches legitimate app 'foo', at which point 'baz' is backgrounded
3. user selects some text and puts it into the clipboard
4. user opens legitimate app 'bar' and pastes text
5. user foregrounds 'baz' which now has access to the clipboard contents
In the above, users can understand that 'foo' and 'bar' have access to
the text put in the clipboard. However, it is unexpected that 'baz' also
has access since the user didn't paste the text into it.
As it is currently implemented, there is no clipboard timeout, so the
contents will persist through the session (unless changed by another
copy operation). Application lifecycle will help a little, but not fully
since whenever an app is foregrounded, it can the contents of the
keyboard.
+ In the short term, we should require that only a foregrounded app whould
+ be able to get clipboard contents. Push helpers should have an explicit
+ deny to the (upcoming) DBus clipboard access.
+
Ideally this would be handled via wholly user-driven interactions. While
this could be achieved via keyboard driven interactions, it is difficult
with toolkit driven interactions (ie, 'Paste' from a menu is necessarily
a pull operation). One idea is not to block access but instead make
users aware of the clipboard access (eg, an overlay that says "Pasted
from clipboard" and then fades out)-- this should be as unobtrusive as
possible.
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided => High
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1371170
Title:
information disclosure: clipboard contents can be obtained without
user knowledge
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Triaged
Status in “content-hub” package in Ubuntu:
New
Status in “mir” package in Ubuntu:
New
Status in “unity8” package in Ubuntu:
New
Bug description:
Currently, the clipboard is implemented such that all apps can access
the contents at any time. The clipboard contents should only be given
to apps based on user driven input (eg, a paste operation).
Attack scenario:
1. user launches malicious app 'baz' that polls the clipboard for contents
2. user launches legitimate app 'foo', at which point 'baz' is backgrounded
3. user selects some text and puts it into the clipboard
4. user opens legitimate app 'bar' and pastes text
5. user foregrounds 'baz' which now has access to the clipboard contents
In the above, users can understand that 'foo' and 'bar' have access to
the text put in the clipboard. However, it is unexpected that 'baz'
also has access since the user didn't paste the text into it.
As it is currently implemented, there is no clipboard timeout, so the
contents will persist through the session (unless changed by another
copy operation). Application lifecycle will help a little, but not
fully since whenever an app is foregrounded, it can the contents of
the keyboard.
In the short term, we should require that only a foregrounded app
whould be able to get clipboard contents. Push helpers should have an
explicit deny to the (upcoming) DBus clipboard access. Background apps
should not be allowed to push content into the clipboard (application
lifecycle deals with this, but we need this for the future).
Ideally this would be handled via wholly user-driven interactions.
While this could be achieved via keyboard driven interactions, it is
difficult with toolkit driven interactions (ie, 'Paste' from a menu is
necessarily a pull operation). One idea is not to block access but
instead make users aware of the clipboard access (eg, an overlay that
says "Pasted from clipboard" and then fades out)-- this should be as
unobtrusive as possible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1371170/+subscriptions
References