How Secure is Your Copied Text (Clipboard)?
CTRL C and then CTRL V.
(For the Mac users: COMMAND+C and then COMMAND+V.)
Familiar? That's how you copy and paste on a keyboard.
For your touchscreen device it's as simple as highlighting the text with your finger and tapping "Copy."
The copy and paste function across desktops and other devices such as your smartphone is incredibly useful. I use mine all the time. I'm willing to bet that you do too.
The function itself is simple. You highlight text and tell the machine to remember it. The machine copies the text to its memory – called the clipboard. When you “paste,” the machine retrieves the text from its clipboard and places it where you said to.
Unfortunately, this ultra-convenient function is very unsecure by nature.
Across nearly all devices running all kinds of operating systems, your clipboard is pretty much public. In most cases, it can be read by pretty much any program or process running on your device.
Most of the time you don't even know when an application reads your clipboard.
Since this clipboard is "memory," you might think the machine auto-forgets what you copied after some time. This isn't the case at all; in fact, this usually doesn't happen unless you restart the device. How many of us do this regularly?
I don't know about you, but my smartphone is rarely completely off. The "Sleep" or "Standby" function doesn't usually count as off either.
So that password you copied from your device's notes can be read by some nosy script that means you no good. You know, like those written by bad-guy hackers who like to break into accounts and steal sensitive information.
That can be pretty scary. Surely these big tech companies have found a way to put some type of security on this common function, right?
Well, let's see how (and if) they do...
The Windows 10 clipboard isn’t secure. The text copied to your clipboard is stored in plain-text format.
The issue hasn’t been addressed by Microsoft directly, but some third-party apps have addressed the issue over the years. Usually these third-party apps store what they find in your clipboard and then encrypt that information on their own servers.
This is good and well and all, but that means that those third-party apps have access to your clipboard… and a lot of other apps do too. In theory, your clipboard can be read by some maliciously nosy script on a website that you visit.
How? Again, it’s not hard at all to access the clipboard since everything is stored in plain-text format.
Windows also has the neat functionality of potentially storing your local clipboard in the cloud clipboard history queue. The cloud clipboard allows devices synced across your Microsoft account to read what’s copied there.
This proves useful, but again, there is the real issue of privacy vs. convenience, since the clipboard is very easily readable.
Thankfully, in most cases the ability to sync your clipboard to cloud is disabled by default. If yours happens to be enabled, you can disable the cloud clipboard in the Windows 10 settings.
Configuring the clipboard settings for your local clipboard isn’t as easy – outside of downloading third-party apps.
Much like Windows, the clipboard of the macOS is a public billboard of pretty much all processes and applications running on the system.
Also, like Windows, it isn’t secure.
For some people that might be a shock, because macOS is often touted as being more secure than systems that run Windows. To an extent, this is true; mostly because macOS is based off Unix (cousin to Linux), whereas Windows is not.
Like Microsoft, Apple has implemented a cloud clipboard as well. This cloud clipboard is called the “universal clipboard.” The universal clipboard is tied to “Handoff,” which syncs between apple devices.
Note that in order to use this feature, Bluetooth and Wi-Fi must be turned on. You can argue this is more secure than Windows’ cloud clipboard because Bluetooth 4.0 has basic encryption between connected devices.
However, since the clipboard is still such a public bulletin, it remains largely unsecure.
There's a trend here, isn't there?
Not much changes with the security of the clipboard from macOS to iOS.
Any app on an iOS device can access the most recent thing copied to your clipboard. This goes for both text and images.
Theoretically, a malicious app can read what’s on your iOS clipboard and then feed that information back to a remote server. That remote server can be easily accessed by someone stealing your personal and sensitive information.
Here's a short demonstration:
In the video, a developer created an app called KlipboardSpy. The app easily read and accessed data stored on the iOS clipboard. The developer also created a widget to perform the same function.
So simply put, the iOS clipboard isn’t secure either.
Just like its iOS counterpart, the Android clipboard is no more or less secure. It's just as vulnerable to the demonstration shown in the YouTube video above.
How to secure the clipboard?
The short, and unfortunate, answer is: you can't. You could never use the function, but even for the ever-going privacy (or security) versus convenience debate, I believe that is way too much of an extreme.
Also, it's important to realize that is not something that is easily fixable by developers/programmers at Microsoft, Apple, or Google.
The fact that everything running on a device can read the clipboard is what makes the copy-and-paste function so helpful and convenient.
Realistically speaking, all of us have higher priority digital threats out there. The biggest thing that comes to mind is malware running on our devices without us knowing; things such as viruses, backdoors, trojan horses, malicious scripts, and other bad stuff.
The lack of security of the clipboard is something you should be aware of. To mitigate the risk of exposing sensitive information I recommend you stop leaving sensitive information in the clipboard after you’re done with pasting.
All this means is that you should copy something else once you’re done copy and pasting whatever else you were doing.
If you’re copying a pasting a password, do that. After you’re done, copy something else.
The same goes for other sensitive information such as your social security number, authentication codes, account numbers, etc.
As always, stay safe out there!