Re: Security Flaw: Any website can read your clipboard text

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/22/05


Date: Thu, 22 Sep 2005 11:22:57 GMT


"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:dgpmp2$dap$1@nntp.itservices.ubc.ca...
> Jim Watt <jimwatt@aol.no_way> writes:
>
> >On Tue, 20 Sep 2005 08:35:47 -0700, Zilbandy
> ><zil@zilbandyREMOVETHIS.com> wrote:
>
> >>Jim Watt <jimwatt@aol.no_way> wrote:
> >>
> >>>>> Web sites you visit can retrieve data from your clipboard depending
on
> >>>>> your security settings. Go to this page
(www.clipboard.googlemyway.com)
> >>>>> and see if anything shows up in the box. If you are using Firefox or
> >>>>> Opera you probably won't see anything. However, if you are using
> >>>>> Internet Explorer then chances are that whatever you last copied
into
> >>>>> your clipboard will be displayed.
>
> This is very iffy. For example, the web site could just be sending a
> message to your browser to display the clipboard. This does NOT mean that
> the remote site knows anything about your clipboard, just that it has told
> your own browser on your own machine to display the clipboard, a totally
> secure thing to do.
>
> Are you sure this is anything different than that, ie, that the remote
site
> can get the contents of your clipboard?

This is /precisely/ what it's doing - the clipboardData object allows you to
get, set, and clear.

Once the JScript has hold of something, it can simply POST it anywhere it
likes.

Yet another "useful" feature that's left as a gaping hole by default...
although in terms of criticality, it's at the "gadfly" level. The "look, we
can display your drive contents" frame pseudo-exploit was far scarier to the
average user, methinks.

-- 
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


Relevant Pages

  • Re: Security Flaw: Any website can read your clipboard text
    ... >message to your browser to display the clipboard. ... >the remote site knows anything about your clipboard, ...
    (alt.computer.security)
  • Re: 3 WMS pins For Sale Package Deal last time
    ... Posting in a public newsgroup will likely get you both comments and opinions whether you like it or not. ... If the price is right, ... Demolition Man Nice display, good cabinet,good playfield. ... Johnny Mnemonic Cabinet has red faded, playfield nice, but dirty, ...
    (rec.games.pinball)
  • Re: When HP loses to Oracle....
    ... crap design for end-users. ... The opinions of the folks that agree with me are usually less challenging... ... On why I think the existing startup is crap, and particularly given the long-term trends around the expectations of future server administrators and of IT staff. ... But for the most part, they just use a display, or two, to show the same information that was displayed with the old systems. ...
    (comp.os.vms)
  • Re: Tenet rats out sinking ship
    ... Rightly or wrongly, I own my opinions, and I come to them (from what I ... You know the Japanese attitude at that time, ... My group has had the Eyes Wide Open display for a few months and ... told that now we're going to display shoes. ...
    (rec.music.gdead)
  • Re: Copying hidden text, possible?
    ... You can define a Range in a macro to be anything you want, including hidden text, and do as you will with it - no need to change the display in the process at all. ... It's fascinating that Word can paste the text internally while hidden, ... Clipboard can paste the hidden text but does not display the text ...
    (microsoft.public.word.newusers)