« Home | Google Blog Hacked Via Blogger Security Bug » | Songbird: The Firefox of Music Players? » | About Digital Alchemy » | Why Cutting Edge Gadgets Are Banned in the USA » | Saving Pages in Firefox: Help with File Names and ... » | Aquafy Windows XP's Graphical User Interface: Chan... » | How To: Hack a Coke Machine » | Yahoo! Shortcuts, Instant Search, and Natural Lang... » | Firefox 2.0 Release Candidate 2 Available Now » | Create Your Own Wireless Hotspot in 10 Minutes »

Monday, October 09, 2006

Clipboard Security Hole in Internet Explorer: Attackers Can Steal Copied Text

It is true, text you last copied for pasting (copy & paste) can be stolen when you visit web sites using a combination of JavaScript and ASP (or PHP, or CGI) to write your possible sensitive data to a database on another server. Hopefully you haven't copied a credit card number recently before surfing!
Check here first to see if you have a clipboard vulnerability (watch out for the pop up ad). If something shows up, you have a problem.

This is a vulnerability I first heard about a while back, and it came back to me recently since I've been using clipboard extensively when doing screen captures. While images aren't vulnerable, text certainly is. Firefox is apparently immune to this flaw, but even if you don't normally use Internet Explorer, it's still a good idea to close this security hole in IE that allows sites to access your clipboard.

To fix the clipboard security flaw:

Open up IE, and go to Tools -> Internet Options -> Security -> Select a security zone.
Choose Custom Level -> Scripting -> Allow paste operations via script and set this to disable.


It looks like IE 7 won't be affected by this problem. A prompt will pop up if a site tries to access your clipboard.

Labels:

Send to a Friend!       Subscribe!      

    Stumble Upon Toolbar    

Comment Archive

Reader Comments:


In case anyone is interested, I've built a demonstration of how this hole can be exploited by website operators. It uses the IE Ajax component to send the site your clipboard contents in the background which are then stored to a database.

Clipboard Snort Demo


Previous Posts

« Home