Re: Security Flaw: Any website can read your clipboard text

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 09/20/05


Date: 20 Sep 2005 19:09:23 GMT

Jim Watt <jimwatt@aol.no_way> writes:

>On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
><zil@zilbandyREMOVETHIS.com> wrote:

>>Jim Watt <jimwatt@aol.no_way> wrote:
>>
>>>>> Web sites you visit can retrieve data from your clipboard depending on
>>>>> your security settings. Go to this page (www.clipboard.googlemyway.com)
>>>>> and see if anything shows up in the box. If you are using Firefox or
>>>>> Opera you probably won't see anything. However, if you are using
>>>>> Internet Explorer then chances are that whatever you last copied into
>>>>> your clipboard will be displayed.

This is very iffy. For example, the web site could just be sending a
message to your browser to display the clipboard. This does NOT mean that
the remote site knows anything about your clipboard, just that it has told
your own browser on your own machine to display the clipboard, a totally
secure thing to do.

Are you sure this is anything different than that, ie, that the remote site
can get the contents of your clipboard?

>>>>
>>>>I do not use Windows so I have not been able to verify it. However, if true,
>>>>has this been acknowledged by MS? Are they going to fix it?
>>>
>>>Its certainly true.
>>>
>>>One could regard it as a feature rather than a bug and there is the
>>>option to turn it off. Mine is now off because its a feature to live
>>>without.
>>
>>Where would that option to turn it off be located?

>tools>internet options>security>custom level

>navigate the tree to

>scripting
> allow paste operations by script

>and check the 'disable' radio button.
>--
>Jim Watt
>http://www.gibnet.com