Developer

Can Everyone See Your Cut-'n'-Paste? Probably, if you use IE 6 or earlier.

Don't Let Your Users Get Clipped! JavaScript code on a Web page can capture the content of your clipboard. This old hack is still possible on many systems - PROBABLY some of your client's. Check it out and FIX it.

NOTE, in this report I used Java and JavaScript interchangeably because the purpose is to focus on protecting against this threat, not teaching some novice how to implement it on every web page they create. Readers should know that JavaScript is related to Java but with a smaller command set and can be imbedded in HTML whereas Java code would be called from HTML. I apologise for any confusion, I do know the difference and I thought my readers would see the reason behind this - I know we have novice members in TR. But this obviously caused some confusion so I am changing the terms.

One of the things that separates complete novices from beginners and more advanced PC users is the use of Ctrl-C and Ctrl-V. Probably everyone reading this uses the Windows cut-and-paste feature every few minutes on a busy day.

I bet your executives do it and, let's face it, even the most security conscious of us often cut and paste very sensitive information such as complex nonsense passwords (the best kind) and long account numbers.

But you need to remember that very simple JavaScript code inserted into HTML on a Web page can capture and redirect the current contents of your clipboard buffer.

Look this over:

<S Language="JavaScript">

var content = clipboardData.getData("Text")

(The complete (brief) source code is widely available and pretty obvious to JavaScript programmers since the same process is used for many legitimate purposes, so I am not revealing anything but I removed a bit of the code anyway out of security concerns - no reason to make it too easy for beginners to get into trouble.)

This threat has been fixed or never existed in some browsers because of better security defaults but remember that a lot of your users are running old systems with old versions of various browsers, including Internet Explorer.

I just checked IE 6.0.2900.xxx, which you get with XP SP2, and this hack works with an unmodified system.

(Yes, I keep many old systems around in default installation configurations - not hardened! - otherwise, how could I test to see which of my clients are vulnerable to various threats?)

To fix this Clipboard hack threat in IE, click on "options", then "security" tabs; select custom level; then, under "Allow paste operations via script" (near the bottom), change the default Enable to either Disable or Prompt.

Before rushing out to secure a couple hundred old machines, see if your browser allows this now.

Check out this test:

http://www.port80software.com/200ok/archive/2006/08/08/2484.aspx

A word to the wise, cut and paste some innocuous information before you start testing!

(You DO keep one or more test systems that duplicate every OS version, browser, and upgrade your users have running, don't you? That's what removeable hard drives are for!) 

For more information about the clipboardData Object, see:

http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp

(And I bet you thought "Clippy" was the only really annoying thing in Windows!)

Please, before you dismiss this JavaScript hack as old news, run a quick test on the oldest PCs in your office, especially on laptops or anything used by top executives (who probably refused to upgrade so they wouldn't have to learn any new system - unlike the wise geek who doesn't upgrade because he/she knows something will always go wrong!).

Also recall that even if you have a system that blocks this hack today, there are always backup restores and the possibility of some future hack that will alter the security setting some day - if it isn't inadvertently and accidentally reset by some "official" update.

It would be a good idea to add warnings about this JavaScript hack to security lessons you should be giving already and to your security manual.

Don't cut-and-paste sensitive data and then go surfing! 

Unlike many security warnings, in this case, a word to an executive that his/her most private data, such as Swiss bank account numbers and passwords (GRIN), can be exposed to any Web site manager who decides to include this simple HTML code along with code to redirect the output to a database. 

If nothing else, it will show them you are on the ball!

Of course you might choose to keep this hack a secret and use it on your own Web site to collect a little job insurance, but that would only lead to trouble eventually!

Editor's Picks

Free Newsletters, In your Inbox