Linked by Eugenia Loli on Sun 20th Nov 2005 01:14 UTC, submitted by Stephen Robinson
Internet Explorer AmigaWorld.net (by the way, check their brand new mobile site too) reader Olegil demonstrates how to read Windows' clipboard, by using the IE 5+ clipboard API. IE's clipboard API is a known design-decision feature which allows for better interoperability with Office/VBA. But as Olegil shows, the rules of the game are too loose and information can be stolen and stored on a remote server.
Order by: Score:
Anonymous
Member since:
---

Why would anyone be using IE 5 (Or 6 for that matter, but IE5 is way worse)?

Reply Score: 0

klynch Member since:
2005-07-06

I believe it's IE5+, so IE6 has the problem, too.

Reply Score: 1

Eugenia Member since:
2005-06-28

Read more carefully, it's IE5+, this means that the LATEST IE also has the problem. I wrote IE5+ because this is when this API was first introduced.

Reply Score: 5

rm6990 Member since:
2005-07-04

The bug still works in the latest patched IE (all Windows updates done, SP2 installed) on Windows XP Home. I use Flock currently anyways, so I don't care (I love Flock's Blogging utilities in case anyone is wondering why I use it and not Firefox).

Reply Score: 1

Anonymous Member since:
---

Oops, my bad.

Reply Score: 0

Celerate Member since:
2005-06-29

About your title; I really don't think updates have anything to do with this if it's a feature done intentionally by Microsoft and they didn't intent to protect it in the first place. It's not a very smart feature to leave unprotected, but then I doubt most people using IE out there have sensitive information in their clipboard that often.

I think MS could have a timeout on clipboard content though, most clipboard usage is finished within seconds or minutes, so MS could just have the clipboard cleared a few minutes or an hour after the last time the clipboard buffer was written to.

Just my $0.02

Reply Score: 1

klynch Member since:
2005-07-06

"It's not a very smart feature to leave unprotected, but then I doubt most people using IE out there have sensitive information in their clipboard that often."

I beg to differ. I know several people who keep important information like passwords and credit card numbers in text files.

Reply Score: 2

TezKAh Member since:
2005-07-06

why would you have your password or credit card information in a text file unless you were dumb?



Also, this "exploit" wouldn't let you get at those files, only if they copied their credit card number + expiry date, or their password and then went to this site, AND it was a site that was set up to copy that information. How would it know a password from any other word?



Really, all these "SECURITY BREACHES" are a bad thing, so many useless ones like this, and for example the gmail "exploit" (If a cracker has your username and password he can hack your account!) are nothing more than scaremongering.

Plus, it makes it harder to discern the real security threats with all this noise and saber rattling.

Reply Score: 1

Anonymous Member since:
---

Things get worse than this. In Windows, the clipboard is one of the most important ways to get information from one application to another. You say "why would you have your password or credit card information in a text file unless you were dumb," but I know a security conscious merchant who have his customer’s credit card information encrypted with PGP. When a particular customer needs to be charged, he decrypts the record and copy and pastes the number into the gateway! He does not use Internet Explorer, you should consider reasons sensitive data can, and will, be in the clipboard of many users.

Reply Score: 0

TezKAh Member since:
2005-07-06

Obviously there is *some* risk involved in this. But it would have to be a perfect storm.

1) Copy sensitive information to your clipboard (how often does this happen, even for this merchant? Does he keep these credit card numbers in his clipboard as he goes to other websites? If you had a card number as 4444555566667777 exp 01/99, and you needed to paste that into a web form, how would you do it? I would grab "4444555566667777", and then "01/99" if I had it on my computer AT ALL. Personally, I only type it in to my browser on secure websites.)

2) The person would have to go to a website that is exploiting this flaw, and have BOTH the credit card number and expiry date for his data to be compromised.





Compared to having a keylogger on the machine that phones home:

1) Type the credit card number into any applicaiton and expiry date.







Which is more likely to happen?


The solution is to simply not store information that you would not want stolen/copied on your computer, at all. Storing it in your clipboard is just asking for trouble.

Reply Score: 2

Anonymous Member since:
---

Certainly this would have to be the perfect storm. Either a key logger or root kit is obviously much more dangerous than this clipboard exploit. A properly exploited merchant computer could yield to the attacker the PGP private key and then it is only a matter of time until the pass phrase could be obtained through an exhaustive password cracker search. The point of most security is to up the ante to the point where exploitation is impractical while still getting useful work done. However, there is no good excuse for Microsoft to leave this clipboard exploit in their browser.

Reply Score: 1

Wow ....
by WorknMan on Sun 20th Nov 2005 03:08 UTC
WorknMan
Member since:
2005-11-13

I was wondering just the other day if it might be possible to do this - now I know the answer ;)

Reply Score: 1

Anonymous
Member since:
---

Turn off: 'Allow Paste Operations Via Script'

Returns the word 'undefined' With IE 5.5 on Win-Me.

Here's another one:

http://www.securityfocus.com/bid/9643/info/
http://www.securityfocus.com/archive/1/353508
http://www.infinitybit.com/comsec/clippy.html

Reply Score: 2

dylansmrjones Member since:
2005-10-02

Nice for those of us who know...

But what about Average Joe?

Clearly this is something which should be turned off as standard, and only turned on after showing a warning message about being insecure ;)

Reply Score: 1

v Yo, where did all the zealots go??
by StychoKiller on Sun 20th Nov 2005 08:05 UTC
We did this ages ago
by Anonymous on Sun 20th Nov 2005 09:07 UTC
Anonymous
Member since:
---

And by we, I mean the GNAA and their friends in T4C. When you go to LastMeasure (ie, *.on.nimp.org) your clipboard contents are recorded. In our hayday, we got a lot of juicy information, including passwords, IRC logs, and most of all, the URL of the very site they were at ;)

Reply Score: 0

Oh, by the way
by Anonymous on Sun 20th Nov 2005 09:08 UTC
Anonymous
Member since:
---

There is a clipboard API for Netscape/Firefox, too. It has some semblance of security though.

Reply Score: 0

RE: Oh, by the way
by Anonymous on Mon 21st Nov 2005 18:48 UTC in reply to "Oh, by the way"
Anonymous Member since:
---

No.

Please see how copy, cut, and paste to work at
http://www.mozilla.org/editor/midas-spec.html

Reply Score: 0

IE Mac
by ValiantSoul on Sun 20th Nov 2005 09:28 UTC
ValiantSoul
Member since:
2005-07-20

I wonder if this works in IE for Mac? I'm not going to try installing IE just to see but I am curious

Reply Score: 2

Surprising, but this is really old news.
by ChiliJ on Sun 20th Nov 2005 12:07 UTC
ChiliJ
Member since:
2005-08-12

What's sad is that lousy programmers/designers make this feature part of their application, making a patch by MS an issue when their apps get broken.

Reply Score: 2

Not news...
by Juerd on Sun 20th Nov 2005 13:43 UTC
Juerd
Member since:
2005-11-20

This comes up every few months, but I keep wondering why it is still spread as "news". This is not new, not recently discovered. Yours truly has written a page about this (http://tnx.nl/clipboard/) as early as three full years ago, and even then, it was already an old issue.

Microsoft has decided not to care about the privacy of their users and to downplay the chances of there being privacy sensitive information in the clipboard. MS does not agree that reality is a better measure.

Reply Score: 2

RE: Not news...
by dylansmrjones on Sun 20th Nov 2005 14:26 UTC in reply to "Not news..."
dylansmrjones Member since:
2005-10-02

Consider it 'follow up' news..

Like "MS has still not fixed goofy security breech in IE" ;)

Reply Score: 1

RE: Not news...
by anda_skoa on Sun 20th Nov 2005 15:39 UTC in reply to "Not news..."
anda_skoa Member since:
2005-07-07

Microsoft has decided not to care about the privacy of their users

Actually the users do not care about privacy. All that did have switched to some other browser.

The rest is more concerned about getting their data destroyed or corrupted, not about someone else accessing it.

Reply Score: 1

RE[2]: Not news...
by Juerd on Sun 20th Nov 2005 15:42 UTC in reply to "RE: Not news..."
Juerd Member since:
2005-11-20

That's just not true. Most people DO NOT KNOW that their software is unsafe, and that there is free replacement software that is less unsafe.

Reply Score: 2

Simple solution
by DevL on Sun 20th Nov 2005 13:50 UTC
DevL
Member since:
2005-07-06

Dump IE and switch to another browser.

Reply Score: 1

IE7
by Anonymous on Sun 20th Nov 2005 15:44 UTC
Anonymous
Member since:
---

It seems to work in IE7 as well.

Reply Score: 0

Anonymous
Member since:
---

> The solution is to simply not store information that you would not want stolen/copied on your computer, at all. Storing it in your clipboard is just asking for trouble.

I store whatever I like in my clipboard and I expect that it stays there and doesn't get uploaded to some webserver without my knowledge. Blaming the user for such secutiry flaws is an evidence of incapacity.
If there's a popup "Do you want to allow other computers to access your clipboard" and the user clicks "Yes", *then* you can blame him, but not any earlier. Especially not when the browser ships with such an option *enabled* by default.

Reply Score: 0