New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V2.5 - Verify that the clipboard is deactivated on text fields that may contain sensitive data. #106
Comments
The attack vector here is that all apps on the phone can read the clipboard (article, PoC). I think disallowing paste on passwords inputs is not a solution to this. Users only notice this when they try to paste, when they already have copied the password to the clipboard. Also, I think this could be a consideration for the user between convenience and security: whether he uses the same password for everything, uses a password manager with copy-paste, or memorizes 50 passwords of the top of his head. |
Agree with both of you. Disallowing this in a password field will make the user not happy and when he copies a password, credit card number etc and finds out that he is not allowed to paste it in it's already to late. |
The attack vector of other applications being able to read the clipboard hadn't occurred to me, and is indeed a serious concern for the user. As a security tester one of my recommendations here would be to to at least supplement the password authentication some sort of MFA. |
The requirement is addressing sensitive data in general. So can be of course the password, but also credit card data, username or other PII. 2FA is available in another requirement: 4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. |
Sounds good. Closing the issue! |
fevertree commentedJul 12, 2017
As long as applications allow users to authenticate via password, users should be allowed to paste in passwords from clipboard. Unique passwords for each and every service that a person uses is considered to be an industry standard recommendation. By not allowing a user to paste in their password, the MASVS goes against this practice.
The text was updated successfully, but these errors were encountered: