For many years, I have been running untrusted programs in VMs.
I have used both Windows and Linux as the host OS, and both (many versions of) VMware Workstation Player and VirtualBox on both OSes. The VMs (“guest OS”) have been both various versions of Windows and Linux.
Naturally, I always enable the “shared clipboard” feature, so that I can copy text from the VM to the host, and from the host to the VM. This feature is crucial to do any serious work with the VMs, so it doesn’t really matter if it’s “disabled by default”.
I have been worried about this for many years, but always postponed asking properly about it. One reason for this is that I’m overwhelmed with other problems, but another is that I’m scared of the answer!
I’m wondering when exactly the “clipboard sharing” takes place. Is it, as I really hope, when you have copied something in the host OS, and then focus the VM window? Or does the VM’s OS, as I fear, get the information sent to it as soon as you copy anything in the host OS, even if the VM’s window is minimized/unfocused?
If the clipboard data is instantly shared, this means that I have unknowingly been sending massive amounts of highly sensitive private information to untrusted VMs full of sketchy software which may very well have all kinds of keyloggers and trojans which captured my passwords and every personal text snippet copied in the host OS (with no intention of ever sharing that with any running VM), instantly phoning it home over the network. (Yes, networking is also crucial to have enabled for most VMs.)
I’m wondering both about VMware Workstation Player and VirtualBox, and whether it differs between versions/generations of these. I truly hope that my paranoid fears are just that: the worst possible imaginable nightmare scenario which they “obviously” have not actually implemented because it would be insanely irresponsible.
On the other hand, similarly terrible things for privacy/security have been done many times, so I’m afraid to read an answer which quotes some VMware/VirtualBox page which indeed warns about this feature and how it shares everything instantly…
