|
Brought to you by:
Suppliers of:
|
|
|
| |
| Since Microsoft Internet Explorer version 5.0, there has been a way to read and set the users clipboard text from script, by default, and with no prompting. This can be handy for web-based applications to do so, but can be used in a malicious way to steal the clipboard contents. |
| |
Credit:
Handy links:
[1] clipboardData object - http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp
[2] getData method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/getdata.asp
[3] setInterval method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setinterval.asp
[4] XMLHTTP object - http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xml_obj_ixmlhttprequest_8bp0.asp
[5] About DHTML Data Transfer - http://msdn.microsoft.com/workshop/author/datatransfer/overview.asp
[6] Exploit examples - http://tom.vpwsys.co.uk/clipboard/exploit.html
The information has been provided by Tom Gilder and TAKAGI, Hiromitsu.
|
| |
It is easily possible to monitor the contents of the clipboard, and send it to a remote server-side script for processing. The remote script could then save the clipboard text in a database, or e-mail it to the evil overlord script creator. By itself this doesn't cause much harm, but users can often copy sensitive information to the clipboard - e-mails, addresses, passwords, pictures - just about anything, which could then fall into the wrong hands.
The problem lies in the clipboardData object[1], and the getData method[2]. By simply using a setInterval [3], a script can check for a change in the contents of the clipboard, and forward it either using a hidden form, or the XMLHTTP [4] ActiveX object.
Exploit:
You can view a sample exploit at:
http://tom.vpwsys.co.uk/clipboard/exploit.html (IE5.0+, with default security rules). This does no harm to your computer, and does not send any information to the author. More information about Data Transfer can be found in the MSDN article, about DHTML Data Transfer[5].
In the most evil of situations, this could be used for an almost un-closeable clipboard monitor (see the 2nd example [6]). It could be launched from a HTML e-mail within Outlook or Outlook Express (if the security zone is set to "Internet", and the internet zone settings are set to default - basically the default settings of pre-OE6), and maybe be used in conjunction with an e-mail worm to send itself on.
User solution:
You can edit this via Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script. You can set this to Enable (the default for the internet zone), Disable (default for restricted sites) or Prompt. It is recommend you set it to prompt - scripts can still have clipboard access, but only when you say so.
|
| Subject:
|
Clipboard message |
Date: |
25 Sep. 2006 |
| From: |
marilynjobson-scott.com |
I do surveys for PineCone Research and when logging in to the last one a message appears about access to the clipboard as follows
Do you want to allow this webpage to access your clipboard? If you allow this, the webpage can access the clipboard & read information that you have cut or copied recently. Allow access Don't allow
When clicking on the boxes it does not allow anything to happen either by allowing or not. Also I cannot log out of the page and can only clear by restarting the computer.
I have tried everything that Pinecone has suggested to no avail. I have Java installed, ActiveX, plus all the security things such as MacAfee, with all updates, Zone Alarm, Spybot, AdAware. I have run all these. I have tried disabling them, as well as popup blockers all to no avail. I installed Explorer 7 prior to this problem.
Having spent so much time trying to get rid of this & do the survey I am going mad, now the survey time has run out.
Please please help
Marilyn Jobson-Scott
|
|
| Subject:
|
Re: Internet Explorer Clipboard Stealing Vulnerability |
Date: |
13 Dec. 2006 |
| From: |
anonymous |
| I just became aware of this after installing IE7. Previous browser versions never warned of it (to my knowledge). Three sites so far have triggered IE7 to ask whether I wanted to allow clipboard access. This is a serious thing when you use a password manager (like Password Corral) to copy/paste passwords into Web forms. These requests ought to have been illegal all along. |
|
|
|
|
|
|
