CAPEC-637: Collect Data from Clipboard
The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.
Last updated
Overview
CAPEC-637 (Collect Data from Clipboard) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find an application that allows copying sensititve data to clipboad] An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data
- Step 2Experiment
[Target users of the application] An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic
- Install malware on a user's system designed to log clipboard contents periodically
- Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard
- Step 3Exploit
[Follow-up attack] Use any sensitive information found to carry out a follow-up attack
What the attacker needs
Prerequisites
- The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location.
Skills required
- High skill: To deploy a hidden process or malware on the system to automatically collect clipboard data.
Consequences
What a successful CAPEC-637 attack can achieve.
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-637.
- While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.
- Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.
Terminology & mappings
Mapped taxonomies
- ATTACK: Clipboard Data (1115)
Frequently asked questions
Common questions about CAPEC-637.
- What is CAPEC-637?
- The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.
- How does a Collect Data from Clipboard attack work?
- It typically unfolds over 3 phases. It begins with: [Find an application that allows copying sensititve data to clipboad] An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data
- How do you prevent CAPEC-637?
- While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.
- What weaknesses does CAPEC-637 target?
- CAPEC-637 exploits 1 CWE weakness, including CWE-267 (Privilege Defined With Unsafe Actions).
- How severe is CAPEC-637?
- MITRE rates CAPEC-637 as Low severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-637
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.