Author: Liz & Reborn
Editor: Sherry
Background
In the previous issue of the Web3 Security Beginner's Guide, we analyzed the Pi Yao Pan scam; this issue will focus on clipboard security.
In many incidents of cryptocurrency theft, one of the most confusing points for victims is often: 'I never transmitted my private key online; how could it be stolen?' In fact, the leakage of private keys / mnemonic phrases does not necessarily occur through cloud or online transmission; it may also happen during what seems to be 'local, safe' operations. For example, have you ever filled in your private key / mnemonic phrase by copy-pasting? Have you ever saved it in a note or screenshot? These common operations are also the breakthrough points targeted by hackers.
This issue will focus on clipboard security, helping you understand its principles, attack methods, and the prevention advice we have summarized in practice, assisting users in building a stronger awareness of asset protection.
Why the clipboard poses risks
The clipboard is a temporary storage space provided by the operating system for local applications to share, mainly used to store temporary data (such as text, images, file paths, etc.) so that different applications can conveniently copy and paste content. For example, when you copy a wallet address, the operating system stores the address in the clipboard until it is overwritten or cleared by new content.
Plaintext storage: Most operating systems (such as Windows, macOS, Linux) do not encrypt clipboard data by default, but store it in plaintext in memory.
System APIs provide access methods: Most operating systems provide clipboard-related APIs that allow applications to access the clipboard. This means that if an application (such as a text editor, browser extension, input method, screenshot tool, or even malware) has the appropriate permissions, it can silently read or even tamper with data in the background.
Moreover, since the contents of the clipboard are not automatically cleared by default, they may remain accessible for a long time. If users copy sensitive information but do not overwrite or clear it in a timely manner, malware or third-party applications have the opportunity to read this content.
Some clipboard malware is specifically used to tamper with addresses. The fraud report on transnational organized crime in Southeast Asia published by the United Nations Office on Drugs and Crime in 2024 mentions that one common malware used by Southeast Asian crime groups is a clipper. This type of software monitors the clipboard of infected systems, waiting to replace addresses in cryptocurrency transactions. Once the victim inadvertently conducts a transaction, the funds will be transferred to the attacker's address. Since cryptocurrency wallet addresses are usually very long, users are less likely to notice changes in the receiving address.
(https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf)
At this point in the writing, I believe everyone realizes that the fundamental way to prevent clipboard attacks is to avoid copying sensitive information and to install professional antivirus software to prevent malware intrusions.
The main purpose of clearing the clipboard is to shorten the exposure time of sensitive information and reduce the risk of it being read by malware or other applications. If you accidentally copy sensitive information, clearing the clipboard in a timely manner can lower the possibility of leakage. A simple method is to immediately copy a large amount of irrelevant content to 'flush' the previously copied sensitive information, which can somewhat reduce the probability of being read.
However, if your device is already infected with malware that steals or alters clipboard content, the effect of manually clearing the clipboard is very limited. This is because these malicious programs can monitor and read data in real time, making it difficult for manual clearing to keep up with their actions. Therefore, the best practice is to avoid copying sensitive information from the outset and ensure device security. If you suspect your device has been infected, it is advisable to transfer your assets to a new wallet as soon as possible to prevent further losses.
In addition to the clipboard, sensitive information may also be leaked through the following methods, and users should be extra cautious:
Photo albums, cloud storage, input methods: Avoid exposing private keys / mnemonic phrases to the internet, including but not limited to photo albums, cloud storage, WeChat favorites, mobile notes, etc. Avoid entering sensitive information in input methods, and it is recommended to use the system's built-in input method while disabling the 'cloud sync' feature of the input method. Also, try not to fill in private keys / mnemonic phrases via copy and paste.
Malware risk: Regularly use antivirus software to scan the system for potential malware.
Browser extension permission issues: Disable unnecessary browser extensions. If you are concerned about the permission risks of a certain extension, you can first not use it after installation, check the extension ID, search for the local path on the computer, find the manifest.json file in the extension's root directory, and send the file content to AI for permission risk interpretation. If you have an isolation mindset, you might consider enabling a separate Chrome Profile for unfamiliar extensions, at least making malicious actions controllable.
Transfer address tampering risk: When conducting cryptocurrency transfers or similar operations, be sure to carefully verify the wallet address to avoid misdirecting funds due to clipboard tampering.
Clipboard Clearing Tutorial
Here are some relatively simple methods for clearing the clipboard on macOS, iOS, Android, and Windows that you can practice:
macOS only saves the current clipboard content and does not record history; copying a piece of irrelevant content can overwrite sensitive history. iOS also only saves the current clipboard content. In addition to copying irrelevant content, users can create shortcuts to add the command to clear the clipboard to the home screen for easier clearing.
(https://x.com/0xBeyondLee/status/1855630836118467028)
Windows 7 and earlier versions only save the current clipboard content without any history. You can overwrite the original content in the clipboard by copying a piece of irrelevant content, thereby indirectly clearing it. Windows 10 / 11 (if 'Clipboard History' is enabled): Press Win + V to view clipboard history, and click the 'Clear All' button in the upper right corner to delete all history.
The clipboard history on Android usually refers to the clipboard history recorded by the input method. Many Android devices provide clipboard history functionality in the input method, allowing users to enter the clipboard management interface of the input method to manually clear unwanted records.
In short, if the system itself does not save history, simply copy new content to overwrite it. If the system has clipboard history (like Windows 10 / 11 or some Android devices), then manually clearing the history according to the methods mentioned above is sufficient.
Summary
The clipboard is a frequently overlooked but high-risk channel for leakage. We hope this article helps users re-evaluate the security risks of copy and paste, realizing that 'local operations do not equal absolute security.' Security is not just a technical issue; it's also a matter of behavior. Only by maintaining vigilance in daily operations, enhancing security awareness, and implementing basic protective measures can we truly safeguard our assets.