Clipboard of host sent to remote machine, must be more explicit
Reproduction
- On your Linux desktop, open a text editor
- Type "My password", select the text, and hit Ctrl-C
- Open a Vinagre VNC connection to a remote host, e.g. running Windows
- On the remote Windows host, open notepad.exe
- In notepad's menu bar, using the mouse, click on Edit|Paste
Actual result
notepad.exe shows "My password"
That implies that the remote machine is silently snooping on the local clipboard, even if I'm not even interacting with the remote machine and vinagre is open only in the background. You might say "This is how the clipboard works", but that's true only for local machines where the security context is the same as "can run local application". If local applications A and B both have full rights to run arbitrary code, then it's OK for them to read the clipboard. It is not OK for a remote machine, which doesn't have "run arbitary code" permissions on my local machine.
For the same reason, browsers only paste into the page after explicit user action, and the programmatic clipboard APIs are considered security-sensitive and require explicit user approval, specifically "the clipboard-read
or clipboard-write
permission as appropriate." (Quote)
Expected result
Nothing. (See Suggested Solutions below)
Suggested solutions
-
"Paste" button on VNC viewer toolbar. If the user presses the button, the viewer sends the clipboard to the remote machine at that moment, and then triggers a Ctrl-V keypress on the remote machine.
-
If the user doesn't press the button, but focuses the VNC viewer and presses Ctrl-V, the viewer sends the clipboard to the remote machine and only then sends the Ctrl-V to the remote machine.
-
A combination of 1. and 2.
Whether you use the mouse or keyboard, you wouldn't need any more actions in practice. You still do Ctrl-C in your Linux app, switch to the viewer, press Ctrl-V there, and you got the text in notepad.exe.
Of course that would be configurable so that you can change they key combo, e.g. for Macs, or to disable sending the key combo after the Paste button, or to disable the clipboard entirely.
Importance / Impact
This is a security hole. Because I use a different password for every service, I have to copy&paste them. However, the remote machine is not trusted. In some cases, it's owned by a different company, in other cases I use VNC and a different machine specifically because I don't trust the software and need to test.
If the untrusted host can get to my passwords from my trusted desktop, that's a security hole, because my passwords leak, and they may well give full access to other machines, my bank account or other highly sensitive data.