Your Clipboard - Danger! - vulnerability!!!

  • Thread starter Thread starter REM
  • Start date Start date
R

REM

Wow, another interesting tidbit from the UBCD4Win forum:

----------------------------------------------------------------------------

"I was sent the following this morning. It's worth keeping in mind.


We do copy various data by Ctrl+c for pasting elsewhere. This copied
data is stored in clipboard and is accessible from the net by a
combination of Java scripts and ASP.

DO NOT keep sensitive data (like credit card numbers, bank login/
passwords, PIN, date of births, etc.) in the clipboard while surfing
the web.

Instead make a practice of typing them always. It is extremely easy to
extract the text stored in the clipboard to steal your sensitive
information.

Just try this,
1) Copy any text by Ctrl+c
2) Now, click the Link:
http://www.friendlycanadian.com/applications/clipboard.htm
3) You will see the SAME text you copied is accessed by this web
page."

----------------------------------------------------------------------------


I had to enable java scripts and lower the internet security settings
lower than high for IE in order to verify that, yes, your clipboard is
vulnerable if the settings are set less than "high" in IE internet
zone.

I haven't been able to get this to work in Firefox or with Avant yet.

I'm trying to figure out exactly what is necessary here. Does Avant
safeguard IE in this case? I am using a script to remove administrator
rights for Avant. I don't know if this has something to do with it or
not at present.

Can anyone with positive results list your specs?

Mine:

Win XP Pro fully patched.

IE v6.0.2900.2180 fully patched with Tools\Internet
Options\Security\Internet\Custom Level < High = vulnerable.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wow, another interesting tidbit from the UBCD4Win forum:

----------------------------------------------------------------------------

"I was sent the following this morning. It's worth keeping in mind.


We do copy various data by Ctrl+c for pasting elsewhere. This copied
data is stored in clipboard and is accessible from the net by a
combination of Java scripts and ASP.

DO NOT keep sensitive data (like credit card numbers, bank login/
passwords, PIN, date of births, etc.) in the clipboard while surfing
the web.

Instead make a practice of typing them always. It is extremely easy to
extract the text stored in the clipboard to steal your sensitive
information.

Just try this,
1) Copy any text by Ctrl+c
2) Now, click the Link:
http://www.friendlycanadian.com/applications/clipboard.htm
3) You will see the SAME text you copied is accessed by this web
page."
Click to expand...


If Internet Explorer is set up by a competent professional this is what you
should see:

http://www.proactiveservices.co.uk/proactive_ie.png

That was with text in the clipboard.

Tools->Internet Options->Security->Internet Zone->Custom Level

Allow paste operations via script: Disabled

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDP+b77uRVdtPsXDkRAs9cAJ4tApBRB+ClPC4Sll2+8bbBqlJasQCfW7cH
ZIZmZKjshs5KFPZNckSdXxM=
=Yksg
-----END PGP SIGNATURE-----
 
Can anyone with positive results list your specs?
Click to expand...

Doesn't get anything from Opera, either -- seems to me if you're
vulnerable to that, you're vulnerable to a lot more--your security setup
would have to be remarkably low.
 
Allen said:
Doesn't get anything from Opera, either -- seems to me if you're
vulnerable to that, you're vulnerable to a lot more--your security setup
would have to be remarkably low.
Click to expand...

I tried it with Firefox and it drew a blank :-)
 
(e-mail address removed) wrote in
I tried it with Firefox and it drew a blank :-)
Click to expand...

Same here ... nada.

--
++++++++++++++++++++++++++++++++++++++++++++++
El Gee // www.mistergeek.com <><
Know Christ, Know Peace - No Christ, No Peace
Remove .yourhat to reply
++++++++++++++++++++++++++++++++++++++++++++++
 
Same here. No text at all?

Is this just another reason to use something other than IE?
Click to expand...
Not really, just make sure

Allow paste operations via script is disabled
 
MLC:
domenica 2 ottobre 2005 REM ha scritto:


IMHO it's only a javascript joke.
It calls the function
clipboardData.getData("Text");
which works locally in your client.
I don't think it can be retrieved by the server.
Click to expand...

at least then, when it is possible to get it pasted into a (possibly
hidden) entry field in a form that can be submitted to the server.


Viele Grüße,
Sascha
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Clipboard security 1
New Zero Day IE vulnerability 0
Copy image to Clipboard not working in Firefox & Chrome 0
[Update] Avant Browser 10.0 build 159 4
Ditto 2.3 Clipboard Extender - ditto-cp.sourceforge.net 0
Clipboard macro seriously locks up (or whatever it does) myclipboard! [XL2003] 1
Clipboard edit functions: how? 13
Windows 8 is the most vulnerable Windows OS -> you can thank Adobe Flashfor that 1

Back
Top