Jump to content
Xisto Corporation
Himanshu1405241508

Security Issue With Ctrl+c/copy On Clipboard

Recommended Posts

hi friends,

I posted the following security exploit in IE at Xisto but missed out posting it here.

Click here for the actual post:
http://forums.xisto.com/topic/27178-topic/

We all copy various data by using ctrl+c/Copy for pasting elsewhere. This copied data is stored on clipboard and is accessible over the net by a combination of Javascripts and ASP.

Just try this:
1) Copy any text by ctrl+c
2) Click the Link: http://www.friendlycanadian.com/rg-erdr.php?_rpo=t
3) You will see the text you copied on the Screen which was
accessed by this web page.

Moral:
Do not keep sensitive data (like passwords, creditcard numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information. If sufficient data is stored by mistake it would give away confidential and important information without you knowing about it.

To Avoid This
To avoid this, follow these steps:

1. Go to internet options->security

2. Press custom level

3. In the security settings, select disable under Allow paste operations via script.
Now the contents of your clipboard are safe.


Pass this information on to create an awareness of the same.

Safe Browsing,
Cheers.

Share this post


Link to post
Share on other sites

I'll be damn... B):PB):P:blink::blink::blink::blink::blink:

The page doesn't work with Firefox (or at least is not especified there), when I tried it with Firefox it didn't show anything in the box, in IE it showed what I had on the clipboard and then (after fixing it with Himanshu's solution) it said:

No text found in clipboard. This is a good thing!
Works with Internet Explorer and Netscape


I wonder if firefox allows this same flaw??? Either way everyone should be aware that this is going on.

I, personally chose to have IE prompt me if I wanted text to be autopasted from the clipboard, so I could detect which S.O.B. pages are trying to screw people up...

Share this post


Link to post
Share on other sites

It did not work for me also. Thanks to the one and only Firefox. I am happy that I am using such a safe browser.But anyway it is very nice information. From now onwards I will take care of this thing. Thanks Himanshu for the nice post.

Share this post


Link to post
Share on other sites

Cheers for this peice of information, unfortunately i am as lazy as they come and i do copy paste my user information and browse the internet at the same time and even worse i have to use both browsers that is internet explorer and firefox because i have to make sure the websites i am working on look and work well in both browsers and alot of teh time i copy the ftp and cpanel information to my clipboard and jst run through the web and paste paste paste :S .....will be more careful from now on.

Share this post


Link to post
Share on other sites

Wow. I had no idea that this was a possible problem. I use Firefox (way better than IE and Netscape, no contest), but even with their dedication to better security, I think I'll make sure that i pay attention to what I'm doing with copy/paste.Thanks for the heads-up!

Share this post


Link to post
Share on other sites

hi friends,

 

I posted the following security exploit in IE at Xisto but missed out posting it here.

 

Click here for the actual post:

http://forums.xisto.com/topic/27178-topic/

Pass this information on to create an awareness of the same.

 

Safe Browsing,

Cheers.


I read some information about this security issue in Web Browsers. Actually is only a security issue for the surfers that use Microsoft Internet Explorer, the rest of us that do not use this internet browser can relax, we are not vulnerable. Anyway I will explain a little bit about this Clipboard sniffer.

 

1. Only in Microsoft Internet Explorer

The people at Microsoft said is a "feature" provided by Internet Explorer. The true is that many web developers think that is more like a bug, because it allows that any website with a "clipboard sniffer" could read and use the content of your clipboard. No matter is your are working in another application that is not Internet Explorer, it is enough to the clipboard sniffer that you open the website where is installed in a window of Internet Explorer. You wont notice any weird activity.

 

2. The script is Client Side only

These means that only runs in the computer of the visitor of the website. The Clipboard sniffer is actually only based in a very easy (really very easy) JavaScript code that would only be correctly interpreter and execute by Microsoft Internet Explorer. It has no relation with the server side scripting language such as ASP, PHP, JSP, cgi, etc, is completelly independent. Is only related with Internet Explorer 6 or lower version and for Internet Explorer 7 it will ask you before entering a website with the clipboard sniffer, if you allow this website to access you clipboard. This is more like a 'easy patch' implemented by the Microsoft guys in the last version of their web browser, because it wont fix the security problem in many cases. The 'common', 'normal' and 'non-geek' web surfers may not understand or even read this advice and will click "yes" to these kind of annoying messages of their browser. Some users are just desperate to open the web page and they would not notice the text of any advice the explorer will show, specially if they are using Internet Explorer 7 under Windows Vista because they have to deal with many annoying "security advices" of this operating system all day, after a few minutes of this I would be desperate and I would be hating this messages too.

 

3. The solution

The straight-forward and easiest solution to maintain you data secure of clipboard sniffers is by simply not using a browser with this "feature". I recommend Firefox or Opera. Both are great browsers and have a solid platform and excellent support for web standards.

 

Firefox is completely free open source web browser and is available for Windows, Mac OSX, Linux, Solaris and other OS.

Opera is also free to download, but recently they changed their policies and they required you put some ads or purchase it ^_^

 

If you still want to use Internet Explorer anyway is OK, but it is recommended to change your security settings:

 

Internet Explorer 5 and 6

1. In Control Panel, click Internet Options.

2. Click the Security tab.

3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.

4. Click Custom Level.

5. In the Scripting section, under Allow paste operations via script, click Prompt or Disable.

6. Click OK.

 

Internet Explorer 4

1. In Control Panel, click Internet Options.

2. Click the Security tab.

3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.

4. Click Custom, and then click Settings.

5. Click Prompt or Disable for Script ActiveX controls marked safe for scripting, and then click OK.

 

 

Note: Windows Administrators can also adjust the default setting for this feature by using Group Policy or the Internet Explorer Administration Kit (IEAK).

 

These steps to fix the security issue were taken from the Microsoft Help and Support available at: How to Prevent Web Sites From Obtaining Access to the Contents of Your Windows Clipboard

 

In here you will see a quite long text from Microsoft explaining that is not a problem because Internet Explorer blocks this "feature" if you turn on the "High Security" mode of Internet Explorer. This more is more like a "Paranoid mode" because it also blocks many other real feature of the web browser.

 

 

Conclusion

This feature or bug is a bad characteristic of Internet Explorer in almost all cases. However it could be useful for some RIA (Rich Internet Applications) that run under this web browser and it could be used in a very positive way to create more interactive and desktop like applications. I think that this feature should be disable by default in any security level of Internet explorer and when a trusted website with clipboard sniffer script that would be used to enable copy/paste support for some interesting features, a message should prompt then and the user may now enable this feature. I have not seen any website that uses this feature, maybe because it is better to copy/paste in the traditional way via the Web Browser clipboard support and not via the JavaScript support that is only compatible with Internet Explorer. By using the traditional clipboard support of the web browser, websites only have access to the data that has been pasted to an input box and do not see the entire clipboard board like in the JavaScript sniffer.

Share this post


Link to post
Share on other sites

This is fine in Firefox but very dangerous in IE 6(or prior versions) which doesn't ask for user permission. So a website that you are visiting can track your clipboard data without your knowledge!You can find an example in this blog:http://forums.xisto.com/no_longer_exists/; (it's safe) - Try it in IE6 to see it for yourself.

Firefox requires that user change the preferences or grant access, either way it's happening with your permission. But IE6 doesn't ask you!

Share this post


Link to post
Share on other sites

I am so sorry to point out that in FF you might be wrong. I have to empty the clipboard many times a day and thats without any

browser open.

Share this post


Link to post
Share on other sites
Quote

Do not keep sensitive data (like passwords, creditcard numbers, PIN etc.)

Unfortunately, we are often asked to have rather complicated passwords (for instance more than 12 keystrokes), and a lot of people currently store them somewhere, like in a password safe, and copy-paste them.

Share this post


Link to post
Share on other sites
On 1/10/2008 at 1:54 AM, andresmtz said:

This feature or bug is a bad characteristic of Internet Explorer in almost all cases.

Does this feature also exist with the Microsoft Edge browser ?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.