Browser

Who's stealing your clipboard contents?


Windows Clipboard data is at risk when using IE to surf the web.  Unless an organization modifies default IE security settings for versions 4 thru 6, information copied to the Windows clipboard can be easily retrieved by an unscrupulous webmaster.

A demonstration of this “feature” is provided at scriptmagic.com.  When I first visited this site, my clipboard was empty.  Not to be deterred from discovering just how vulnerable my IE 6 implementation system is, I followed the instructions and copied information to my clipboard.  The results appear below:

  Clipboard Contents Copied


I typed the text shown in the red box into Microsoft Word.  Once I selected and copied the sentence into my clipboard, it immediately appeared on the web site. 

By default, IE 7 asks the user if she wants to honor the web site request for the contents of the clipboard.  At least that's what's supposed to happen.  My IE 7 installation locked.  Opera and Firefox don't give up your clipboard information without your knowledge.

Microsoft does provide instructions in Article 224993 for either turning off the transparent retrieval or prompting the user when a request for the clipboard information is made.  Be sure to properly configure the Allow paste operations via script security settings in IE to protect data leaks due to normal system operation.  Organizations with hundreds or thousands of IE users are at significant risk of leaking bits and pieces of ePHI, PII, or intellectual property.

 

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

9 comments
egpor95
egpor95

Interesting to note that if a site requires IE to view and you use an IE Tab in Firefox it gives up your clipboard in a heartbeat. Interesting possibilities exist here. Gene Y.

Mr.Newman
Mr.Newman

I've tested on IE6, it was terrible feeling to see that how my information could be accessed by websites, same thing I've done on mozilla but this time nothing has displayed, so, i think microsoft should be fast in it's security otherwise it can lead to the dramatic end of in IT world ;(

GeorgesR
GeorgesR

I have tried it with IE tabs and it is afected but it still uses the internet properties and if you follow Microsoft instructions then the change works. Clipboard content is not available. (By the way set it to disable specially if you are trying the site, you will keep clicking on the script authorization window) Regards

Lodai
Lodai

The IE Tab add-in for firefox is a unsigned 3rd party add-in that does have so pretty serious known issues: http://ietab.mozdev.org/

aceofspades1217
aceofspades1217

It works fine for me. I often use it for retarted web sites that forgot that only idiots use IE. I think after years of people pointing ut sucerrity, rendering, and other issues they would have figured out that only morons use IE. I am sorry but I think IE is terrible. And noone should use IE7 as it is so unstable. You open a few tabs and boom you get some sort of error that terminates the program.

The Scummy One
The Scummy One

on Vista. It kept locking up on me, then it would refuse to close without the help of the task manager. FF, I use in Linux and some Win systems. Currently I am using IE7 because I am on a Vista system, and before I rebuilt it, FF kept crashing.

israeljamesbond
israeljamesbond

.. he has to be more respectful and careful when typing. Calling morons people who are just using the software the computer comes with is just completely wrong. Some people just do not know any better. By the way, to me Firefox sucks, I like more Safari and IE, even if Firefox "feels" faster when having multiple tabs open for flash websites such as youtube. My IE7 back when I used Vista, or IE8 now on Windows 7 for that matter does not cause random crashes frequently, and if it does, the tabs are automatically recovered anyway. If a webpage looks weird on IE8, I just press the Compatibility button and voila! It looks fine. The problem has been less and less since IE8 was released.

w2ktechman
w2ktechman

for problems with downloading and installing IE, not just being a moron or idiot. Problems can range from a variety of SW that can be loaded onto the system, or the system configurations. Even a bad download can cause issues, and some would not be user error. Just because you had no problems, and thousands of others had no problems, does not mean that problems do not exist. Look at Microsofts website for known issues with IE7, many, many people had it installed and then had problems even trying to bring up a web page. Many others it installed in updates, and they didnt want it. Congrats that yours is working flawlessly, I, myself only use IE sometimes (usually at work).

Paul D. Masley
Paul D. Masley

Ace, first, I do not consider myself an idiot for using IE, nor do I consider myself or the countless others as morons for using it. Second, I have been using IE7 since the release and have not had any problems whatsoever out of it. At the present time I have 12 tabs open. If you are having problems with it, it seems like maybe that the "moron" that installed it did not follow the instructions and that is what you call "idiot!"

Editor's Picks