Internet Explorer Clipboard Stealing Vulnerability
15 Jan. 2002
Summary
Since Microsoft Internet Explorer version 5.0, there has been a way to read and set the users clipboard text from script, by default, and with no prompting. This can be handy for web-based applications to do so, but can be used in a malicious way to steal the clipboard contents.
It is easily possible to monitor the contents of the clipboard, and send it to a remote server-side script for processing. The remote script could then save the clipboard text in a database, or e-mail it to the evil overlord script creator. By itself this doesn't cause much harm, but users can often copy sensitive information to the clipboard - e-mails, addresses, passwords, pictures - just about anything, which could then fall into the wrong hands.
The problem lies in the clipboardData object[1], and the getData method[2]. By simply using a setInterval [3], a script can check for a change in the contents of the clipboard, and forward it either using a hidden form, or the XMLHTTP [4] ActiveX object.
Exploit:
You can view a sample exploit at: http://tom.vpwsys.co.uk/clipboard/exploit.html (IE5.0+, with default security rules). This does no harm to your computer, and does not send any information to the author. More information about Data Transfer can be found in the MSDN article, about DHTML Data Transfer[5].
In the most evil of situations, this could be used for an almost un-closeable clipboard monitor (see the 2nd example [6]). It could be launched from a HTML e-mail within Outlook or Outlook Express (if the security zone is set to "Internet", and the internet zone settings are set to default - basically the default settings of pre-OE6), and maybe be used in conjunction with an e-mail worm to send itself on.
User solution:
You can edit this via Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script. You can set this to Enable (the default for the internet zone), Disable (default for restricted sites) or Prompt. It is recommend you set it to prompt - scripts can still have clipboard access, but only when you say so.
