Re: Security Flaw: Any website can read your clipboard text

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/22/05


Date: Thu, 22 Sep 2005 11:22:57 GMT


"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:dgpmp2$dap$1@nntp.itservices.ubc.ca...
> Jim Watt <jimwatt@aol.no_way> writes:
>
> >On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
> ><zil@zilbandyREMOVETHIS.com> wrote:
>
> >>Jim Watt <jimwatt@aol.no_way> wrote:
> >>
> >>>>> Web sites you visit can retrieve data from your clipboard depending
on
> >>>>> your security settings. Go to this page
(www.clipboard.googlemyway.com)
> >>>>> and see if anything shows up in the box. If you are using Firefox or
> >>>>> Opera you probably won't see anything. However, if you are using
> >>>>> Internet Explorer then chances are that whatever you last copied
into
> >>>>> your clipboard will be displayed.
>
> This is very iffy. For example, the web site could just be sending a
> message to your browser to display the clipboard. This does NOT mean that
> the remote site knows anything about your clipboard, just that it has told
> your own browser on your own machine to display the clipboard, a totally
> secure thing to do.
>
> Are you sure this is anything different than that, ie, that the remote
site
> can get the contents of your clipboard?

This is /precisely/ what it's doing - the clipboardData object allows you to
get, set, and clear.

Once the JScript has hold of something, it can simply POST it anywhere it
likes.

Yet another "useful" feature that's left as a gaping hole by default...
although in terms of criticality, it's at the "gadfly" level. The "look, we
can display your drive contents" frame pseudo-exploit was far scarier to the
average user, methinks.

-- 
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!