One of the things that separates complete novices from beginners and more advanced PC users is the use of Ctrl-C and Ctrl-V. Probably everyone reading this uses the Windows cut-and-paste feature every few minutes on a busy day.
I bet your executives do it and, let’s face it, even the most security conscious of us often cut and paste very sensitive information such as complex nonsense passwords (the best kind) and long account numbers.
Look this over:
var content = clipboardData.getData(“Text”)
This threat has been fixed or never existed in some browsers because of better security defaults but remember that a lot of your users are running old systems with old versions of various browsers, including Internet Explorer.
I just checked IE 6.0.2900.xxx, which you get with XP SP2, and this hack works with an unmodified system.
(Yes, I keep many old systems around in default installation configurations – not hardened! – otherwise, how could I test to see which of my clients are vulnerable to various threats?)
To fix this Clipboard hack threat in IE, click on “options”, then “security” tabs; select custom level; then, under “Allow paste operations via script” (near the bottom), change the default Enable to either Disable or Prompt.
Before rushing out to secure a couple hundred old machines, see if your browser allows this now.
Check out this test:
A word to the wise, cut and paste some innocuous information before you start testing!
(You DO keep one or more test systems that duplicate every OS version, browser, and upgrade your users have running, don’t you? That’s what removeable hard drives are for!)
For more information about the clipboardData Object, see:
(And I bet you thought “Clippy” was the only really annoying thing in Windows!)
Also recall that even if you have a system that blocks this hack today, there are always backup restores and the possibility of some future hack that will alter the security setting some day – if it isn’t inadvertently and accidentally reset by some “official” update.
Don’t cut-and-paste sensitive data and then go surfing!
Unlike many security warnings, in this case, a word to an executive that his/her most private data, such as Swiss bank account numbers and passwords (GRIN), can be exposed to any Web site manager who decides to include this simple HTML code along with code to redirect the output to a database.
If nothing else, it will show them you are on the ball!
Of course you might choose to keep this hack a secret and use it on your own Web site to collect a little job insurance, but that would only lead to trouble eventually!