Description
The wallet application facilitates copying sensitive data, specifically mnemonic and private key
passphrases, to the clipboard. This functionality presents a significant security risk, as clipboard data could
be accessed both locally and remotely by unauthorized processes or malicious web pages. Attackers can
exploit this vulnerability by leveraging scripts or pages designed to capture clipboard content, thereby
compromising the confidentiality of critical information.
Furthermore, in multi-device environments where clipboard sharing is enabled (such as between
smartphones, tablets, and laptops), sensitive data copied to the clipboard can be inadvertently exposed
across multiple devices. This significantly increases the attack surface, as an attacker gaining access to
any linked device can retrieve the copied mnemonic or private key.
#Recommendation
It is recommended to avoid providing a direct copy-to-clipboard feature for sensitive information, such as
mnemonic and private key passphrases. Instead, consider implementing a secure display mechanism that
requires users to manually input or write down the passphrase. If clipboard functionality is essential for user
experience, implement automatic clipboard clearing after a short period to reduce exposure time.
Additionally, display a warning when sensitive information is copied, advising users to clear their clipboard
and avoid copying data in shared or multi-device environments where clipboard data can be synchronized
across devices. Another option is to allow users to copy almost all the information necessary but not the complete secret, this way, the secret is not copied entirely to the clipboard. These measures will
significantly reduce the risk of unauthorized access to sensitive information.