Author: Liz & Reborn

Editor: Sherry

Background

In the previous issue of the Web3 Security Beginner's Guide to Avoiding Pitfalls, we analyzed the Pi Xiu scam. In this issue, we will focus on clipboard security.

In many incidents of cryptocurrency theft, one of the most confusing points for victims is often: "I never transmitted my private key online, how was it stolen?" In fact, the leakage of private keys / mnemonic phrases does not necessarily occur through the cloud or online transmission; it can also happen during seemingly "local and secure" operations. For example, have you ever filled in your private key / mnemonic phrase by copying and pasting? Have you ever saved it in a note or screenshot? These common actions are also the targets that hackers focus on.

This issue will revolve around clipboard security, helping you understand its principles, attack methods, and the prevention suggestions we have summarized in practice, to help users build a stronger awareness of asset protection.

Why Clipboard Poses Risks

The clipboard is a temporary storage space provided by the operating system for local applications to share, mainly used to store temporary data (such as text, images, file paths, etc.) so that different applications can conveniently copy and paste content. For example, when you copy a wallet address, the operating system stores that address in the clipboard until it is overwritten or cleared by new content.

• Plaintext Storage: Most operating systems (such as Windows, macOS, Linux) do not encrypt clipboard data by default, but store it in plaintext in memory.
• System API Provides Access: Most operating systems provide clipboard-related APIs that allow applications to access the clipboard. This means that if an application (such as a text editor, browser extension, input method, screenshot tool, or even malware) has the appropriate permissions, it can silently read or even modify data in the background.

Moreover, since the content of the clipboard is not automatically cleared by default, it may remain accessible for a long time. If a user copies sensitive information but does not promptly overwrite or clear it, malware or third-party applications have the opportunity to read this content.

Some clipboard malware is specifically designed to modify addresses. A fraud report on transnational organized crime in Southeast Asia published by the United Nations Office on Drugs and Crime in 2024 mentioned that a commonly used malware by Southeast Asian criminal groups is a clipper. This software monitors the clipboard of infected systems, waiting to replace addresses in cryptocurrency transactions. Once the victim inadvertently makes a transaction, the funds are transferred to the attacker's address. Since cryptocurrency wallet addresses are usually very long, users are less likely to notice changes in the receiving address.

(https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOCConvergenceReport_2024.pdf)

At this point, it is believed that everyone realizes that the fundamental way to prevent clipboard attacks is to avoid copying sensitive information and to install professional antivirus software to prevent malware intrusion.

Clearing the clipboard primarily serves to shorten the exposure time of sensitive information, reducing the risk of being read by malware or other applications. If you accidentally copy sensitive information, promptly clearing the clipboard can lower the possibility of leakage. A simple method is to immediately copy a large amount of irrelevant content to "flush" the previously copied sensitive information, which can reduce the probability of being read to some extent.

However, if your device is already infected with malware that steals or modifies clipboard content, manually clearing the clipboard will have limited effect. This is because such malicious programs can monitor and read data in real-time, and the speed of manual clearing is unlikely to keep up with their operations. Therefore, the best practice is still to avoid copying sensitive information from the source and to ensure device security. If you suspect that your device has been infected, it is advisable to transfer your assets to a new wallet as soon as possible to prevent further losses.

In addition to the clipboard, sensitive information may also be leaked through the following means, and users should be vigilant:

• Photo albums, cloud storage, input methods: Avoid letting private keys / mnemonic phrases touch the internet, including but not limited to photo albums, cloud storage, WeChat favorites, mobile notes, etc. Avoid entering sensitive information in input methods; it is recommended to use the system's built-in input method, disable the "cloud sync" feature of the input method, and try not to fill in private keys / mnemonic phrases through copy and paste.
• Malware Risks: Regularly use antivirus software to scan the system for potential malware.
• Browser Extension Permission Issues: Disable unnecessary browser extensions. If you are concerned about the permission risks of a certain extension, you can first install the extension without using it, check the extension ID, search for the local path on your computer, find the manifest.json file in the extension's root directory, and send the file content to AI for permission risk interpretation. If you have a segregated mindset, consider enabling a separate Chrome Profile for unfamiliar extensions, at least making malicious actions controllable.
• Transfer Address Modification Risks: When performing cryptocurrency transfers and other operations, be sure to carefully verify the wallet address to avoid mistakenly transferring funds due to clipboard modifications.

Clipboard Clearing Tutorial

Here are some relatively simple methods to clear the clipboard on macOS, iOS, Android, and Windows that you can practice:

macOS only saves the current clipboard content and does not record history; copying a piece of irrelevant content will overwrite sensitive history. iOS also only saves the current clipboard content. In addition to copying a piece of irrelevant content, users can create a shortcut to add the command to clear the clipboard to the home screen for easier clearing.

(https://x.com/0xBeyondLee/status/1855630836118467028)

Windows 7 and earlier versions only save the current clipboard content without a history; you can overwrite the original content in the clipboard by copying a piece of irrelevant content, thus indirectly clearing it. Windows 10 / 11 (if "Clipboard History" is enabled): Press Win + V to view clipboard history, and click the "Clear All" button in the upper right corner to delete all history.

The clipboard history on Android usually refers to the clipboard history recorded by the input method. Many Android devices provide clipboard history functionality in the input method, allowing you to enter the clipboard management interface of the input method to manually clear unnecessary records.

In short, if the system itself does not save history, simply copy new content to overwrite it. If the system has clipboard history (such as Windows 10 / 11, some Android devices), then manually clear the history according to the methods mentioned above.

Conclusion

The clipboard is a frequently overlooked yet high-risk leakage channel. We hope this article can help users reassess the security risks of copying and pasting and recognize that "local operations do not equal absolute security." Security is not just a technical issue; it is also a matter of behavioral habits. Only by maintaining vigilance in daily operations, enhancing security awareness, and implementing basic protective measures can one truly safeguard their assets.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。