Clip Caster - Free

  • ClipCaster, pasword, pasword management
  • ClipCaster, pasword, pasword management
  • ClipCaster, pasword, pasword management
  • ClipCaster, pasword, pasword management
  • Description

  • change log

  • faq

  • Comments

  • ClipCaster is an open source proof of concept app that shows how easily any installed app can read passwords when they're used from password management applications.


    Finds credentials when using: LastPass 'fill-in' feature (Android version at least 4.3) KeePassDroid

    but most, if not all, other password managers are vulnerable to this technique. See 'Scope of Vulnerability' below.

    We chose LastPass as A) we were using it personally and B) the fill-in feature we targeted doesn't tell the user it uses the clipboard internally.

    To provide the filling in for chrome, LastPass copies to the clipboard a chunk of javascript which it then pastes to the address bar of Chrome. The user hits enter and it executes. Most of the javascript is finding out which fields are the username/password fields. Embedded in the javascript is the username and password, encoded in base64.

    Any installed application can be notified of clipboard changes. Once the javascript is received, it's a simple matter of finding the encoded data and decoding it using standard Android libraries.


    There is no Features content
  • There is no Related Products
  • There is no Change Log content
  • There is no FAQ