Author: Liz & Reborn
Editor: Sherry
background
In the previous issue of the Web3 Security Beginner’s Guide to Avoiding Pitfalls, we analyzed the Pixiu Disk scam. This issue will focus on clipboard security.
In many cases of crypto asset theft, the most confusing thing for victims is often: "I didn't transmit my private key online at all, how could it be stolen?" In fact, the leakage of private keys/mnemonics does not necessarily happen through cloud or network uploads. It may also happen in your seemingly "local, safe" operations. For example, have you ever filled in your private key/mnemonics by copying and pasting? Have you ever saved it in a memo or screenshot? These common operations are also the breakthrough points targeted by hackers.
This issue will focus on clipboard security, and will help you understand its principles, attack methods, and the prevention suggestions we have summarized in practice, to help users build a more solid asset protection awareness.
Why the Clipboard is Risky
The clipboard is a temporary storage space provided by the operating system for local applications to share. It is mainly used to store temporary data (such as text, pictures, file paths, etc.) so that different applications can easily copy and paste content. For example, when you copy a wallet address, the operating system will store the address in the clipboard until it is overwritten or cleared by new content.
Plaintext storage: Most operating systems (such as Windows, macOS, and Linux) do not encrypt clipboard data by default, but store it in plaintext in memory.
System API provides access: Most operating systems provide clipboard-related APIs that allow applications to access the clipboard. This means that if an application (such as a text editor, browser extension, input method, screenshot tool, or even malware) has the corresponding permissions, it can silently read or even tamper with the data in the background.
Furthermore, since the contents of the clipboard are not automatically cleared by default, they may remain accessible for a longer period of time. If a user copies sensitive information but does not overwrite or clear it in time, malware or third-party applications may have the opportunity to read it.
Some clipboard malware is specifically designed to tamper with addresses. The 2024 UNODC Fraud Report on Transnational Organized Crime in Southeast Asia mentioned that a common malware used by Southeast Asian criminal groups is a clipper. This software monitors the clipboard of the infected system and waits for an opportunity to replace the address in the cryptocurrency transaction. Once the victim inadvertently conducts a transaction, the funds will be transferred to the attacker's address. Because the encrypted wallet address is usually very long, users are unlikely to notice changes in the receiving address.
(https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf)
At this point, I believe everyone has realized that the most fundamental way to prevent clipboard attacks is to avoid copying sensitive information and install professional antivirus software to prevent malware intrusion.
The main purpose of clearing the clipboard is to shorten the exposure time of sensitive information and reduce the risk of being read by malware or other applications. If you accidentally copy sensitive information, clearing the clipboard in time can reduce the possibility of leakage. A simple way is to immediately copy a large section of irrelevant content to "flush" the sensitive information copied previously, which can reduce the probability of being read to a certain extent.
However, if your device is already infected with malware that steals or tampers with the clipboard contents, then manually clearing the clipboard will be of limited use. Because these malicious programs can monitor and read data in real time, manual clearing is difficult to keep up with their operation. Therefore, the best practice is to avoid copying sensitive information at the source and ensure the security of your device. If you suspect that your device has been infected, it is recommended to transfer your assets to a new wallet as soon as possible to prevent further losses.
In addition to the clipboard, sensitive information may also be leaked in the following ways, so users should also pay more attention:
Photo album, cloud storage, input method: Avoid private keys/mnemonics from touching the Internet, including but not limited to photo albums, cloud storage, WeChat collections, mobile phone memos, etc. Avoid entering sensitive information in the input method. It is recommended to use the system's built-in input method and turn off the "cloud synchronization" function of the input method. Try not to fill in private keys/mnemonics by copying and pasting.
Malware risk: Use antivirus software to scan your system regularly to detect and remove potential malware.
Browser extension permission issues: Disable unnecessary browser extensions. If you are concerned about the permission risks of a certain extension, you can install the extension without using it first, look at the extension ID, search the local path on your computer, find the manifest.json file in the root directory of the extension, and send the file content to AI for permission risk interpretation. If you have an isolation mindset, you can consider enabling Chrome Profile for unfamiliar extensions separately, at least the malicious behavior can be controlled.
Risk of transfer address tampering: When performing operations such as cryptocurrency transfers, be sure to carefully check the wallet address to avoid mistaken transfers of funds due to clipboard tampering.
Clipboard Clearing Tutorial
Here are some simple ways to clear the clipboard on macOS, iOS, Android, and Windows. You can try them out:
macOS only saves the current clipboard content and does not record history. Copying an irrelevant content can overwrite sensitive history. iOS also only saves the current clipboard content. In addition to copying an irrelevant content, users can also create a shortcut command to add the command to clear the clipboard to the home screen, which makes it easier to clear.
(https://x.com/0xBeyondLee/status/1855630836118467028)
Windows 7 and earlier versions only save the current clipboard content, without history. You can copy an irrelevant content to overwrite the original content in the clipboard, thereby indirectly clearing it. Windows 10 / 11 (if "Clipboard History" is enabled): Press Win + V to view the clipboard history, and click the "Clear All" button in the upper right corner to delete all history.
Android's clipboard history usually refers to the clipboard history recorded by the input method. Many Android devices provide a clipboard history function in the input method. You can enter the clipboard management interface of the input method and manually clear unnecessary records.
In short, if the system itself does not save the history, just copy the new content to overwrite it. If the system has a clipboard history (such as Windows 10/11, some Android devices), you can manually clear the history according to the above method.
Summarize
The clipboard is an often overlooked but high-incidence leakage channel. We hope that this article can help users re-examine the security risks of copying and pasting, and realize that "local operation does not mean absolute security." Security is not only a technical issue, but also a behavioral issue. Only by staying vigilant in daily operations, improving security awareness, and implementing basic protection measures can you truly protect your assets.
