{"id":2835,"date":"2021-12-15T01:53:07","date_gmt":"2021-12-15T09:53:07","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2835"},"modified":"2021-12-15T01:53:07","modified_gmt":"2021-12-15T09:53:07","slug":"preventing-secrets-from-leaking-through-clipboard","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/","title":{"rendered":"Preventing secrets from leaking through Clipboard"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">For decades users have been pressing Ctrl+C or relying on copy buttons. All these tricks and shortcuts to speed up text processing have become natural and intuitive to us. We do not pay attention to what is happening to copied information besides the fact that we can paste it. It\u2019s safe to assume that most of us consider the clipboard as temporary data sharing. Once you copy something previous data in the clipboard will be overwritten. People rely on this assumption when they copy sensitive information such as passwords.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Security aspect of added convenience<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Pressing Ctrl+C in Windows 10 no longer does only what it was doing in Windows 3.0. Windows can now also preserve copied data in Clipboard History and sync it across devices. This may be very handy when you need to transfer information from one device to another.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><i><span style=\"font-weight: 400;\">temporary<\/span><\/i><span style=\"font-weight: 400;\"> effect of Ctrl+C is no longer temporary. For example, a password can stay unnoticed in local history forever.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><i><span style=\"font-weight: 400;\">local<\/span><\/i><span style=\"font-weight: 400;\"> effect of Ctrl+C is no longer local. For example, recovery codes copied last week on one device can appear in the clipboard of another PC for the same user.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In Windows 10 it is now possible to look up secrets from connected devices by pressing Windows+V on the unlocked system. There will be no audit trails and no authentication challenge. How many of us lock their system every time we go to get a cup of coffee?<\/span><\/p>\n<h2><\/h2>\n<h2><span style=\"font-weight: 400;\">What have we improved?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Starting with Firefox 94 and ESR 91.3, your browser keeps the temporary and local promise of clipboard in certain places where users expect privacy, and will not share that data with either Clipboard History or Cloud Clipboard. This protects users when they copy passwords and usernames from the Passwords page, and will protect everything people copy to the clipboard from a Private Browsing window.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We do this by using <\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/dataxchg\/clipboard-formats#cloud-clipboard-and-clipboard-history-formats\"><span style=\"font-weight: 400;\">appropriate clipboard formats<\/span><\/a><span style=\"font-weight: 400;\"> for sensitive data. The corresponding CVE can be found at <\/span><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-38505\"><span style=\"font-weight: 400;\">https:\/\/www.cve.org\/CVERecord?id=CVE-2021-38505<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Technology makes our lives better every day, but it also introduces new risks. Risks that most people are not aware of. Firefox strives to keep everyone safe and this is one step in that direction.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; For decades users have been pressing Ctrl+C or relying on copy buttons. All these tricks and shortcuts to speed up text processing have become natural and intuitive to us. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/\">Read more<\/a><\/p>\n","protected":false},"author":1881,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[466104],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Preventing secrets from leaking through Clipboard - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sergey Galich\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/\",\"name\":\"Preventing secrets from leaking through Clipboard - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2021-12-15T09:53:07+00:00\",\"dateModified\":\"2021-12-15T09:53:07+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ff04a4140299ca2a20e6360412900852\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Preventing secrets from leaking through Clipboard\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ff04a4140299ca2a20e6360412900852\",\"name\":\"Sergey Galich\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ced1261fcaec6216d9bd013c468ca779\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2833d3a3e30614503caf4c916c5c352e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2833d3a3e30614503caf4c916c5c352e?s=96&d=identicon&r=g\",\"caption\":\"Sergey Galich\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Preventing secrets from leaking through Clipboard - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/","twitter_misc":{"Written by":"Sergey Galich","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/","name":"Preventing secrets from leaking through Clipboard - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2021-12-15T09:53:07+00:00","dateModified":"2021-12-15T09:53:07+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ff04a4140299ca2a20e6360412900852"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/12\/15\/preventing-secrets-from-leaking-through-clipboard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Preventing secrets from leaking through Clipboard"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ff04a4140299ca2a20e6360412900852","name":"Sergey Galich","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ced1261fcaec6216d9bd013c468ca779","url":"https:\/\/secure.gravatar.com\/avatar\/2833d3a3e30614503caf4c916c5c352e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2833d3a3e30614503caf4c916c5c352e?s=96&d=identicon&r=g","caption":"Sergey Galich"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2835"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1881"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2835"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2835\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2835"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}