Security Flaw: Any website can read your clipboard text

Discussion in 'Computer Security' started by sudarmuthu@gmail.com, Sep 18, 2005.

  1. Guest

    Web sites you visit can retrieve data from your clipboard depending on
    your security settings. Go to this page (www.clipboard.googlemyway.com)
    and see if anything shows up in the box. If you are using Firefox or
    Opera you probably won't see anything. However, if you are using
    Internet Explorer then chances are that whatever you last copied into
    your clipboard will be displayed.
    , Sep 18, 2005
    #1
    1. Advertising

  2. Winged Guest

    wrote:
    > Web sites you visit can retrieve data from your clipboard depending on
    > your security settings. Go to this page (www.clipboard.googlemyway.com)
    > and see if anything shows up in the box. If you are using Firefox or
    > Opera you probably won't see anything. However, if you are using
    > Internet Explorer then chances are that whatever you last copied into
    > your clipboard will be displayed.
    >

    Thanks, I collect sites like these.

    Winged
    Winged, Sep 18, 2005
    #2
    1. Advertising

  3. Imhotep Guest

    wrote:

    > Web sites you visit can retrieve data from your clipboard depending on
    > your security settings. Go to this page (www.clipboard.googlemyway.com)
    > and see if anything shows up in the box. If you are using Firefox or
    > Opera you probably won't see anything. However, if you are using
    > Internet Explorer then chances are that whatever you last copied into
    > your clipboard will be displayed.


    I do not use Windows so I have not been able to verify it. However, if true,
    has this been acknowledged by MS? Are they going to fix it?

    Imhotep
    Imhotep, Sep 20, 2005
    #3
  4. Imhotep Guest

    wrote:

    > Web sites you visit can retrieve data from your clipboard depending on
    > your security settings. Go to this page (www.clipboard.googlemyway.com)
    > and see if anything shows up in the box. If you are using Firefox or
    > Opera you probably won't see anything. However, if you are using
    > Internet Explorer then chances are that whatever you last copied into
    > your clipboard will be displayed.


    ....also you probably should post this to the MS newsgroups to let them know
    also...

    Imhotep
    Imhotep, Sep 20, 2005
    #4
  5. Jim Watt Guest

    On Mon, 19 Sep 2005 21:12:14 -0400, Imhotep <>
    wrote:

    > wrote:
    >
    >> Web sites you visit can retrieve data from your clipboard depending on
    >> your security settings. Go to this page (www.clipboard.googlemyway.com)
    >> and see if anything shows up in the box. If you are using Firefox or
    >> Opera you probably won't see anything. However, if you are using
    >> Internet Explorer then chances are that whatever you last copied into
    >> your clipboard will be displayed.

    >
    >I do not use Windows so I have not been able to verify it. However, if true,
    >has this been acknowledged by MS? Are they going to fix it?


    Its certainly true.

    One could regard it as a feature rather than a bug and there is the
    option to turn it off. Mine is now off because its a feature to live
    without.

    On the whole, Firefox is a lot better.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 20, 2005
    #5
  6. Zilbandy Guest

    Jim Watt <_way> wrote:

    >>> Web sites you visit can retrieve data from your clipboard depending on
    >>> your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>> and see if anything shows up in the box. If you are using Firefox or
    >>> Opera you probably won't see anything. However, if you are using
    >>> Internet Explorer then chances are that whatever you last copied into
    >>> your clipboard will be displayed.

    >>
    >>I do not use Windows so I have not been able to verify it. However, if true,
    >>has this been acknowledged by MS? Are they going to fix it?

    >
    >Its certainly true.
    >
    >One could regard it as a feature rather than a bug and there is the
    >option to turn it off. Mine is now off because its a feature to live
    >without.


    Where would that option to turn it off be located?
    Zilbandy, Sep 20, 2005
    #6
  7. Jim Watt Guest

    On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
    <> wrote:

    >Jim Watt <_way> wrote:
    >
    >>>> Web sites you visit can retrieve data from your clipboard depending on
    >>>> your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>>> and see if anything shows up in the box. If you are using Firefox or
    >>>> Opera you probably won't see anything. However, if you are using
    >>>> Internet Explorer then chances are that whatever you last copied into
    >>>> your clipboard will be displayed.
    >>>
    >>>I do not use Windows so I have not been able to verify it. However, if true,
    >>>has this been acknowledged by MS? Are they going to fix it?

    >>
    >>Its certainly true.
    >>
    >>One could regard it as a feature rather than a bug and there is the
    >>option to turn it off. Mine is now off because its a feature to live
    >>without.

    >
    >Where would that option to turn it off be located?


    tools>internet options>security>custom level

    navigate the tree to

    scripting
    allow paste operations by script

    and check the 'disable' radio button.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 20, 2005
    #7
  8. Unruh Guest

    Jim Watt <_way> writes:

    >On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
    ><> wrote:


    >>Jim Watt <_way> wrote:
    >>
    >>>>> Web sites you visit can retrieve data from your clipboard depending on
    >>>>> your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>>>> and see if anything shows up in the box. If you are using Firefox or
    >>>>> Opera you probably won't see anything. However, if you are using
    >>>>> Internet Explorer then chances are that whatever you last copied into
    >>>>> your clipboard will be displayed.


    This is very iffy. For example, the web site could just be sending a
    message to your browser to display the clipboard. This does NOT mean that
    the remote site knows anything about your clipboard, just that it has told
    your own browser on your own machine to display the clipboard, a totally
    secure thing to do.

    Are you sure this is anything different than that, ie, that the remote site
    can get the contents of your clipboard?


    >>>>
    >>>>I do not use Windows so I have not been able to verify it. However, if true,
    >>>>has this been acknowledged by MS? Are they going to fix it?
    >>>
    >>>Its certainly true.
    >>>
    >>>One could regard it as a feature rather than a bug and there is the
    >>>option to turn it off. Mine is now off because its a feature to live
    >>>without.

    >>
    >>Where would that option to turn it off be located?


    >tools>internet options>security>custom level


    >navigate the tree to


    >scripting
    > allow paste operations by script


    >and check the 'disable' radio button.
    >--
    >Jim Watt
    >http://www.gibnet.com
    Unruh, Sep 20, 2005
    #8
  9. Zilbandy Guest

    Thanks. :)

    Jim Watt <_way> wrote:

    >tools>internet options>security>custom level
    >
    >navigate the tree to
    >
    >scripting
    > allow paste operations by script
    Zilbandy, Sep 20, 2005
    #9
  10. Jim Watt Guest

    On 20 Sep 2005 19:09:23 GMT, Unruh <> wrote:

    >This is very iffy. For example, the web site could just be sending a
    >message to your browser to display the clipboard. This does NOT mean that
    >the remote site knows anything about your clipboard,


    Look at the site more carefully, he has another example where he
    emails you the clipboard contents ...

    If you are sneaky you can also grab teh javascript to see how and
    what gets done.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 20, 2005
    #10
  11. Winged Guest

    Imhotep wrote:
    > wrote:
    >
    >
    >>Web sites you visit can retrieve data from your clipboard depending on
    >>your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>and see if anything shows up in the box. If you are using Firefox or
    >>Opera you probably won't see anything. However, if you are using
    >>Internet Explorer then chances are that whatever you last copied into
    >>your clipboard will be displayed.

    >
    >
    > I do not use Windows so I have not been able to verify it. However, if true,
    > has this been acknowledged by MS? Are they going to fix it?
    >
    > Imhotep


    Naw, this ain't a bug its a feature.:) Everyone knows that people who
    may or may not have a relationship to the consumer has a right to
    remotely access the consumer system, send mail and get any information
    the stranger desires. Why else leave a critical hole open since last
    November that is currently being exploited...shucks MS has been trying
    to share information outbound as to what is being burned on local
    system CDs via media player. MS thinks someone has a right to know.
    Recently I was burning some home movies and personal wedding pics and
    found MS DRM trying to phone home. I wasn't smart enough to decipher
    what was trying to be sent, but it killed what trust I had in MS. I am
    probably just paranoid...

    Winged
    Winged, Sep 21, 2005
    #11
  12. Winged Guest

    Unruh wrote:
    > Jim Watt <_way> writes:
    >
    >
    >>On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
    >><> wrote:

    >
    >
    >>>Jim Watt <_way> wrote:
    >>>
    >>>
    >>>>>>Web sites you visit can retrieve data from your clipboard depending on
    >>>>>>your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>>>>>and see if anything shows up in the box. If you are using Firefox or
    >>>>>>Opera you probably won't see anything. However, if you are using
    >>>>>>Internet Explorer then chances are that whatever you last copied into
    >>>>>>your clipboard will be displayed.

    >
    >
    > This is very iffy. For example, the web site could just be sending a
    > message to your browser to display the clipboard. This does NOT mean that
    > the remote site knows anything about your clipboard, just that it has told
    > your own browser on your own machine to display the clipboard, a totally
    > secure thing to do.
    >
    > Are you sure this is anything different than that, ie, that the remote site
    > can get the contents of your clipboard?
    >
    >
    >
    >>>>>I do not use Windows so I have not been able to verify it. However, if true,
    >>>>>has this been acknowledged by MS? Are they going to fix it?
    >>>>
    >>>>Its certainly true.
    >>>>
    >>>>One could regard it as a feature rather than a bug and there is the
    >>>>option to turn it off. Mine is now off because its a feature to live
    >>>>without.
    >>>
    >>>Where would that option to turn it off be located?

    >
    >
    >>tools>internet options>security>custom level

    >
    >
    >>navigate the tree to

    >
    >
    >>scripting
    >> allow paste operations by script

    >
    >
    >>and check the 'disable' radio button.
    >>--
    >>Jim Watt
    >>http://www.gibnet.com


    Active scripting must also be enabled as well as the allow pasteing
    operations by script. Heh, I modified my perms for IE some time ago,
    even it I only use the browser at windows update I still have things
    locked down..retentive I guess.


    Thinking about this, I modified the Firefox user.js configuration file
    to support copy paste operations just because I was curious to see if I
    turned it on whether I would have the same issue as IE. I added the
    following to my user.js file:

    //enable clipboard
    user_pref("capability.policy.policynames", "allowclipboard");
    user_pref("capability.policy.allowclipboard.sites",
    "http://www.clipboard.googlemyway.com");
    user_pref("capability.policy.allowclipboard.Clipboard.cutcopy",
    "allAccess");
    user_pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess");

    Then I tried site. The site did not expose clipboard, as I expected.

    I know we should not try to break things however this didn't work as I
    thought it would.

    Can anyone tell me what I am missing?

    Winged


    PS Mozilla has now released version 1.7 of Firefox. I happened to
    notice this in my trying to break it:p
    Winged, Sep 22, 2005
    #12
  13. "Unruh" <> wrote in message
    news:dgpmp2$dap$...
    > Jim Watt <_way> writes:
    >
    > >On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
    > ><> wrote:

    >
    > >>Jim Watt <_way> wrote:
    > >>
    > >>>>> Web sites you visit can retrieve data from your clipboard depending

    on
    > >>>>> your security settings. Go to this page

    (www.clipboard.googlemyway.com)
    > >>>>> and see if anything shows up in the box. If you are using Firefox or
    > >>>>> Opera you probably won't see anything. However, if you are using
    > >>>>> Internet Explorer then chances are that whatever you last copied

    into
    > >>>>> your clipboard will be displayed.

    >
    > This is very iffy. For example, the web site could just be sending a
    > message to your browser to display the clipboard. This does NOT mean that
    > the remote site knows anything about your clipboard, just that it has told
    > your own browser on your own machine to display the clipboard, a totally
    > secure thing to do.
    >
    > Are you sure this is anything different than that, ie, that the remote

    site
    > can get the contents of your clipboard?


    This is /precisely/ what it's doing - the clipboardData object allows you to
    get, set, and clear.

    Once the JScript has hold of something, it can simply POST it anywhere it
    likes.

    Yet another "useful" feature that's left as a gaping hole by default...
    although in terms of criticality, it's at the "gadfly" level. The "look, we
    can display your drive contents" frame pseudo-exploit was far scarier to the
    average user, methinks.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 22, 2005
    #13
  14. Jim Watt Guest

    On 18 Sep 2005 08:12:54 -0700, wrote:

    >Web sites you visit can retrieve data from your clipboard


    having changed my browser settings, I now find a website where
    I need to paste a document into a javascript controlled text box
    so it seems that 'prompt' is the preferred setting.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 23, 2005
    #14
  15. teh Mephisto Guest

    Jim Watt wrote:
    > On Mon, 19 Sep 2005 21:12:14 -0400, Imhotep <>
    > wrote:
    >
    >
    >> wrote:
    >>
    >>
    >>>Web sites you visit can retrieve data from your clipboard depending on
    >>>your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>>and see if anything shows up in the box. If you are using Firefox or
    >>>Opera you probably won't see anything. However, if you are using
    >>>Internet Explorer then chances are that whatever you last copied into
    >>>your clipboard will be displayed.

    >>
    >>I do not use Windows so I have not been able to verify it. However, if true,
    >>has this been acknowledged by MS? Are they going to fix it?

    >
    >
    > Its certainly true.
    >
    > One could regard it as a feature rather than a bug and there is the
    > option to turn it off. Mine is now off because its a feature to live
    > without.
    >
    > On the whole, Firefox is a lot better.
    >
    > --
    > Jim Watt
    > http://www.gibnet.com


    I'm really suprised that it is just now coming out. It makes sence that
    it can happen. It's probably been around sence IE/Javascript first came
    out. You can easily copy stuff to your clipboard, it makes sence that
    you can take stuff off of it.

    Like I said i'm really suprised people are just now realizing it.
    --
    Meph
    teh Mephisto, Sep 29, 2005
    #15
  16. Jim Watt Guest

    On Thu, 29 Sep 2005 00:44:57 GMT, teh Mephisto <>
    wrote:

    >Jim Watt wrote:
    >> On Mon, 19 Sep 2005 21:12:14 -0400, Imhotep <>
    >> wrote:
    >>
    >>
    >>> wrote:
    >>>
    >>>
    >>>>Web sites you visit can retrieve data from your clipboard depending on
    >>>>your security settings. Go to this page (www.clipboard.googlemyway.com)
    >>>>and see if anything shows up in the box. If you are using Firefox or
    >>>>Opera you probably won't see anything. However, if you are using
    >>>>Internet Explorer then chances are that whatever you last copied into
    >>>>your clipboard will be displayed.
    >>>
    >>>I do not use Windows so I have not been able to verify it. However, if true,
    >>>has this been acknowledged by MS? Are they going to fix it?

    >>
    >>
    >> Its certainly true.
    >>
    >> One could regard it as a feature rather than a bug and there is the
    >> option to turn it off. Mine is now off because its a feature to live
    >> without.
    >>
    >> On the whole, Firefox is a lot better.
    >>
    >> --
    >> Jim Watt
    >> http://www.gibnet.com

    >
    >I'm really suprised that it is just now coming out. It makes sence that
    >it can happen. It's probably been around sence IE/Javascript first came
    >out. You can easily copy stuff to your clipboard, it makes sence that
    >you can take stuff off of it.
    >
    >Like I said i'm really suprised people are just now realizing it.


    as I posted later, it is a feature and indeed one that I use regularly
    without thinking about, its now enabled with a warning message.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 29, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joel Rubin
    Replies:
    0
    Views:
    415
    Joel Rubin
    Mar 20, 2005
  2. Networking Student
    Replies:
    4
    Views:
    1,251
    vreyesii
    Nov 16, 2006
  3. Terry Pinnell

    IrfanView text box flaw?

    Terry Pinnell, Jan 4, 2006, in forum: Digital Photography
    Replies:
    7
    Views:
    393
    Chris Luck
    Jan 15, 2006
  4. Au79
    Replies:
    0
    Views:
    468
  5. Brian

    any photoshopers able to read this text?

    Brian, May 9, 2006, in forum: Computer Support
    Replies:
    13
    Views:
    513
    Mitch
    May 9, 2006
Loading...

Share This Page