Enterprise Software

Who's stealing your clipboard contents?


Windows Clipboard data is at risk when using IE to surf the web.  Unless an organization modifies default IE security settings for versions 4 thru 6, information copied to the Windows clipboard can be easily retrieved by an unscrupulous webmaster.

A demonstration of this “feature” is provided at scriptmagic.com.  When I first visited this site, my clipboard was empty.  Not to be deterred from discovering just how vulnerable my IE 6 implementation system is, I followed the instructions and copied information to my clipboard.  The results appear below:

  Clipboard Contents Copied


I typed the text shown in the red box into Microsoft Word.  Once I selected and copied the sentence into my clipboard, it immediately appeared on the web site. 

By default, IE 7 asks the user if she wants to honor the web site request for the contents of the clipboard.  At least that's what's supposed to happen.  My IE 7 installation locked.  Opera and Firefox don't give up your clipboard information without your knowledge.

Microsoft does provide instructions in Article 224993 for either turning off the transparent retrieval or prompting the user when a request for the clipboard information is made.  Be sure to properly configure the Allow paste operations via script security settings in IE to protect data leaks due to normal system operation.  Organizations with hundreds or thousands of IE users are at significant risk of leaking bits and pieces of ePHI, PII, or intellectual property.

 

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks