GITBOOK-4350: No subject

pentesting-web/browser-extension-pentesting-methodology/README.md

@@ -574,7 +574,7 @@ An important consideration is that in scenarios where multiple pages are set to
 
 When crafting new extensions, the preference should be towards promises as opposed to callbacks. Concerning the use of callbacks, the `sendResponse()` function is considered valid only if it's executed directly within the synchronous context, or if the event handler indicates an asynchronous operation by returning `true`. Should none of the handlers return `true` or if the `sendResponse()` function is removed from memory (garbage-collected), the callback associated with the `sendMessage()` function will be triggered by default.
 
-## Sensitive Information in Memory/Code
+## Sensitive Information in Memory/Code/Clipboard
 
 If a Browser Extension stores **sensitive information inside it's memory**, this could be **dumped** (specially in Windows machines) and **searched** for this information.
 
@@ -584,6 +584,8 @@ Of course, do **not put sensitive information in the code**, as it will be **pub
 
 To dump memory from the browser you could **dump the process memory** or to go to the **settings** of the browser extension click on **`Inspect pop-up`** -> In the **`Memory`** section -> **`Take a snaphost`** and **`CTRL+F`** to search inside the snapshot for sensitive info.
 
+Moreover, highly sensitive information like mnemonic keys or passwords **shouldn't be allowed to be copied in the clipboard** (or at least remove it from the clipboard in a few seconds) because then processes monitoring the clipboard will be able to get them.
+
 ## Loading an Extension in the Browser
 
 1. **Download** the Browser Extension & unzipped