0

I need to copy sensitive data to clipboard by using javascript/Angular2. With the string should be kept confidential, such as by deleting it from computer memory when no longer needed.

Something like this is available within Microsoft .Net (System.Security.SecureString).

Question: As the Microsoft clipboard is not secure, is something like this also available for javascript/Angular2?

Thank you

thardes2
  • 1,162
  • 12
  • 28

1 Answers1

1

With ONLY javascript and angular, in a normal web browser you'd expect a consumer to have installed this wouldn't be possible.

All of the mainstream browsers offer dev tools where you can inspect the variables in use in the browser. So a breakpoint in the right spot will grant anyone with the web page open access to the variable. Also once the data is in the clipboard you've lost control of the data anyway, and it's exposed for other applications to copy from the clipboard. It sounds like you may need some sort of locally installed thin client (desktop app), to securely allow the user to interact with this data.

Read here about memory management in the javascript virtual machine to get an idea about when and how memory is cleaned up https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_Management

Maybe someone out there knows a way to do this with javascript, but I don't believe it to be possible, but it's hard to know what you don't know.

The .NET SecureString does things for you that just wouldn't work in a javascript VM that is client side (not node.js on the server, that's a different scenario). If you did have such a feature in a client side javascript VM, you would need a way to encrypt the string data, which means somewhere on the client or in your web page you need an encryption key and initialization vector that have to be stored somewhere, but more importantly they need to be protected.

Given all the data is on the client machine and isn't leaving the client machine, what threats are you trying to protect this data from? Is the user transferring the data from the clipboard to a remote computer? What is supposed to happen with the data after it's in the clipboard?

Mark At Ramp51
  • 5,343
  • 1
  • 25
  • 30
  • Thank you for the answer Mark. I have an encrypted passwort on my machine and I need to copy this passwort to the clipboard (in order to paste it somewhere). This part acts like a passwort manager or something like that. I would like to erase the entry after a few seconds in order to keep it secret again. – thardes2 Jul 15 '16 at 14:05
  • If you aren't transmitting this over a network, then I don't think you need to be worried. You can generate the value, copy it to the clipboard, and then overwrite the old value after it's copied to the clipboard. I'm assuming you are copying it to the clipboard in plaintext. Once it's in the clip board, it's out of your hands. – Mark At Ramp51 Jul 15 '16 at 14:08
  • The point is: I don't want to have the 'secret' in my clipboard. I changed to question and added a link. -- Probably the statement "you have much bigger things to worry about as there are plenty of other stuff he can do" is also correct ;-) – thardes2 Jul 15 '16 at 14:18
  • So are you wanting to put an encrypted copy of the string in the clipboard? I'm confused by your question at the moment, you don't have to put anything in the clipboard that you don't want to. – Mark At Ramp51 Jul 15 '16 at 14:32
  • Assume you have some kind of pw manager like keepass 2. If you doubleclick the pw-entry, the pw is copied to the clipboard for ~10 seconds. Afterwards it is removed again. I like to achieve that – thardes2 Jul 18 '16 at 09:08