Kaseya Community

KRC Clipboard Security Flaw

  • Wow! This is a good one. I had an event happen today where I ended up with a sensitive password on my local pc clipboard that I did not create. I'm not sure how to recreate this issue, but I'll lay out the scenario.

    I have client that has a pseudo admin account in the VSA so he can also support his end users with Kaseya. He's been having trouble with his big boss, and configuring Outlook on the bosses Mac.

    Client: Im trying to get Outlook to work on Big Daddy's computer, it's a Mac. Can you help me? I need to get this done ticket was opened yesterday, but I need help now.

    Me: Sure! Let me see who the ticket is assigned to, and I'll take it over if need be.

    Client: Okay. You can join me on my pc? Can you remote in and look at my desktop?

    Me: Sure.  (I find his machine in the VSA and KRC into it)

    Me: (after KRC connects) I see that you are RCing (KRCing) into Big Daddy's Mac from your machine. Funny, it looks really blurry KRC session in a KRC session. It's Blurry Fast!!! and tiny!

    Client: Yes, I'm KRC'd into Big Daddy's Mac, but so is your awesome tech. He's working on the Outlook issue now. (we are now watching awesome tech work)

    Me: (I squint and watch the KRC double session, I see some struggling, and decide to go KRC into the exchange server)

    Me: (When I get on the Exchange server, I notice that Awesome Tech is also KRC'd into the Exchange Server, working his awesome magic.)

    Client: It's fixed now Thanks!

    Me: no problem (disconnect KRC) all sessions.

    Then I go to "paste" something that was on my clipboard, but instead of what I expected, It's Big Daddy's password on my clipboard.

    So Beware all! And maybe this should get fixed???

  • This has also been observed in this version 7 thread: community.kaseya.com/.../93875.aspx

  • I see. I think this copy paste issue is thread worthy on it's own. I just had another incident. I went to "Ctrl-v" paste something I expected to be on my clipboard into an email, and was just to about to hit "send" when I last second realized it was completely private information from one of my clients clipboards.

    The information was 100% private, and 100% proprietary.  If I wouldn't have caught myself at the last second, I could have made a serious mistake. Someone could easily accuse me of spying and stealing. Not good for business.

    Also, it's disconcerting what could be ending up on the remote clipboards from us. This is a serious security issue, and needs to be addressed ASAP.

    This is crazy, I have to now tell all my techs they have to use KVNC now.

    It's one thing for it to be a bit buggy, but for it to also start sharing private clipboard information is over the top.

    Kaseya oughta think about how cool and fast KRC will be to the Judge when they find themselves in Court.

  • I agree it deserves its own thread.  Did you make a ticket?

  • Not yet. I currently have 3 outstanding tickets with Kaseya support, which doesn't include a needed ticket for the KNM module, which doesn't work, and has never worked for us.

    I already have 3 separate Kaseya Support techs asking me for a VSA logon to our system 3 separate times. :) jus sayn. It's kinda nutty.

  • ahh one of my Awesome Techs just pointed out an excellent question:

    "I wonder if you have multiple KRC sessions can clipboard contents travel between machines without you knowing."

  • I'm surprised this hasn't come up again.  If I have a KRC window open in the background we seem to share the clipboard.   I sometimes will paste what they have in their clipboard on my computer.  I'm guessing the only way to solve it is to add buttons to KRC to send/receive clipboard contents instead of always sharing them?

  • Hi all,

    I will investigate and clarify the status of this as soon as I can.

    Best Regards,

    Nicolas

  • Any update on this???

  • Hi

    I can confirm we are trying to address this in an upcoming release.

    However, as far as a security concern goes -- I am still following up if this is a security concern at this point.

    I will try to get this information back to you as soon as I can.

    Best,

    Nicolas

  • Thanks for feedback.  We've used your input and researched and many remote control tools in the market actually share a clipboard allowing cut and paste from to the target machine.  However, we see from a usability perspective that a technician may not be aware this is the case, and understand the concerns regarding the existing clipboard data remaining available to the technician after termination of the remote session.  We are currently scheduling this for a patch release and will update this post when the patch is available.