Re: Windows Clipboard Exploit

From: Michel Gallant (MVP) (
Date: 12/23/02

Date: Mon, 23 Dec 2002 08:57:16 -0500
From: "Michel Gallant (MVP)" <>

Some settings might help, but with a fully patched Win2000 sp3, and "default configured" IE,
this apparent vulnerability is there (confirmed).
We can't expect users to have to do special configurations. We already know that
recently patched OE6 will prevent this, since embedded scripting within email
is disabled (Restricted Sites zone) by default.

Obviously, there is nothing wrong with being able to use the system clipboard
to paste its contents into any form element in a web page. However, this
should ONLY be allowed  **under user-directed control**.
A script being able to programatically (and transparently) read your clipboard is
definitely dangerous.

Consider this:
 - user visits a malicious web page unwittingly (or deliberately) with IE 5.0+
 - script in page reads system clipboard, pastes clipboard into some form text-element, reads it
    again into a HIDDEN form element, erases the visible text-element.
 - invites the user to SUBMIT the contents (or may be able to submit automatically to same site)
 - the user will NOT know that they are submitting hidden form element with their (supposedly
    private) clipboard contents.

 - say the user has PREVIOUSLY been doing an e-banking session, and had naively copied his/her
    pin #, for convenience, to clipboard ....  there you have it!

So what is Microsoft's take on this one?  please respond;  are we exaggerating the importance of
this?  should the scripting capability of document.execCommand be limited?

 - Michel Gallant
   MVP Security
   JavaScience Consulting

Robert Moir wrote:

 Ok but its something that can be controlled by browser settings, right?
"Michel Gallant (MVP)" <> wrote in message the clipboard contents can be pasted into a form element, than the page script
has the contents therein, and can subsequently POST it to that site automatically.
So this is an issue.
 - Mitch

Robert Moir wrote:

Can data actually be uploaded from that exploit demo to a web server? As it stands its just a very simple copy and paste of stuff between two local text windows via the clip board and no more an exploit than those things that list the c:\ drive in an iframe.
"Michel Gallant (MVP)" <> wrote in message a HUGE and very easily exercised vulnerability!
Seems clear that the IE document.execCommand() should be
patched asap on this one.
Most people would be under the impression that local
clipboard access is a privileged action, which it obviously
is not for IE/script.
As usual, surf to random sites and you will sooner (rather than
later) be dinged by some sort of vulnerability.
But with the rising number of e-banking/shopping, this IS
a big one.

 - Michel Gallant
   MVP Security
   JavaScience Consulting

Toby wrote:

WOW ...

That is nuts, i wont be copying and pasting passwords
anymore !

Websites can actually harvest your clipboard contents

Thanks for the heads up

I will put this in XP securty also before people start
getting hit

>-----Original Message-----
>Dr Reinhard W Rasche