AmigaWorld.net (by the way, check their brand new mobile site too) reader Olegil demonstrates how to read Windows’ clipboard, by using the IE 5+ clipboard API. IE’s clipboard API is a known design-decision feature which allows for better interoperability with Office/VBA. But as Olegil shows, the rules of the game are too loose and information can be stolen and stored on a remote server.
IE 5+ Clipboard Privacy Issue Demonstrated
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Why would anyone be using IE 5 (Or 6 for that matter, but IE5 is way worse)?
I believe it’s IE5+, so IE6 has the problem, too.
Read more carefully, it’s IE5+, this means that the LATEST IE also has the problem. I wrote IE5+ because this is when this API was first introduced.
The bug still works in the latest patched IE (all Windows updates done, SP2 installed) on Windows XP Home. I use Flock currently anyways, so I don’t care (I love Flock’s Blogging utilities in case anyone is wondering why I use it and not Firefox).
Oops, my bad.
About your title; I really don’t think updates have anything to do with this if it’s a feature done intentionally by Microsoft and they didn’t intent to protect it in the first place. It’s not a very smart feature to leave unprotected, but then I doubt most people using IE out there have sensitive information in their clipboard that often.
I think MS could have a timeout on clipboard content though, most clipboard usage is finished within seconds or minutes, so MS could just have the clipboard cleared a few minutes or an hour after the last time the clipboard buffer was written to.
Just my $0.02
“It’s not a very smart feature to leave unprotected, but then I doubt most people using IE out there have sensitive information in their clipboard that often.”
I beg to differ. I know several people who keep important information like passwords and credit card numbers in text files.
why would you have your password or credit card information in a text file unless you were dumb?
Also, this “exploit” wouldn’t let you get at those files, only if they copied their credit card number + expiry date, or their password and then went to this site, AND it was a site that was set up to copy that information. How would it know a password from any other word?
Really, all these “SECURITY BREACHES” are a bad thing, so many useless ones like this, and for example the gmail “exploit” (If a cracker has your username and password he can hack your account!) are nothing more than scaremongering.
Plus, it makes it harder to discern the real security threats with all this noise and saber rattling.
Things get worse than this. In Windows, the clipboard is one of the most important ways to get information from one application to another. You say “why would you have your password or credit card information in a text file unless you were dumb,” but I know a security conscious merchant who have his customer’s credit card information encrypted with PGP. When a particular customer needs to be charged, he decrypts the record and copy and pastes the number into the gateway! He does not use Internet Explorer, you should consider reasons sensitive data can, and will, be in the clipboard of many users.
Obviously there is *some* risk involved in this. But it would have to be a perfect storm.
1) Copy sensitive information to your clipboard (how often does this happen, even for this merchant? Does he keep these credit card numbers in his clipboard as he goes to other websites? If you had a card number as 4444555566667777 exp 01/99, and you needed to paste that into a web form, how would you do it? I would grab “4444555566667777”, and then “01/99” if I had it on my computer AT ALL. Personally, I only type it in to my browser on secure websites.)
2) The person would have to go to a website that is exploiting this flaw, and have BOTH the credit card number and expiry date for his data to be compromised.
Compared to having a keylogger on the machine that phones home:
1) Type the credit card number into any applicaiton and expiry date.
Which is more likely to happen?
The solution is to simply not store information that you would not want stolen/copied on your computer, at all. Storing it in your clipboard is just asking for trouble.
Certainly this would have to be the perfect storm. Either a key logger or root kit is obviously much more dangerous than this clipboard exploit. A properly exploited merchant computer could yield to the attacker the PGP private key and then it is only a matter of time until the pass phrase could be obtained through an exhaustive password cracker search. The point of most security is to up the ante to the point where exploitation is impractical while still getting useful work done. However, there is no good excuse for Microsoft to leave this clipboard exploit in their browser.
I was wondering just the other day if it might be possible to do this – now I know the answer
Turn off: ‘Allow Paste Operations Via Script’
Returns the word ‘undefined’ With IE 5.5 on Win-Me.
Here’s another one:
http://www.securityfocus.com/bid/9643/info/
http://www.securityfocus.com/archive/1/353508
http://www.infinitybit.com/comsec/clippy.html
Nice for those of us who know…
But what about Average Joe?
Clearly this is something which should be turned off as standard, and only turned on after showing a warning message about being insecure
Amazing! A security flaw is found in Windows software, yet no flames from Linux or Windows defenders!
And by we, I mean the GNAA and their friends in T4C. When you go to LastMeasure (ie, *.on.nimp.org) your clipboard contents are recorded. In our hayday, we got a lot of juicy information, including passwords, IRC logs, and most of all, the URL of the very site they were at
There is a clipboard API for Netscape/Firefox, too. It has some semblance of security though.
No.
Please see how copy, cut, and paste to work at
http://www.mozilla.org/editor/midas-spec.html
I wonder if this works in IE for Mac? I’m not going to try installing IE just to see but I am curious
What’s sad is that lousy programmers/designers make this feature part of their application, making a patch by MS an issue when their apps get broken.
This comes up every few months, but I keep wondering why it is still spread as “news”. This is not new, not recently discovered. Yours truly has written a page about this (http://tnx.nl/clipboard/) as early as three full years ago, and even then, it was already an old issue.
Microsoft has decided not to care about the privacy of their users and to downplay the chances of there being privacy sensitive information in the clipboard. MS does not agree that reality is a better measure.
Consider it ‘follow up’ news..
Like “MS has still not fixed goofy security breech in IE”
Microsoft has decided not to care about the privacy of their users
Actually the users do not care about privacy. All that did have switched to some other browser.
The rest is more concerned about getting their data destroyed or corrupted, not about someone else accessing it.
That’s just not true. Most people DO NOT KNOW that their software is unsafe, and that there is free replacement software that is less unsafe.
Dump IE and switch to another browser.
It seems to work in IE7 as well.
> The solution is to simply not store information that you would not want stolen/copied on your computer, at all. Storing it in your clipboard is just asking for trouble.
I store whatever I like in my clipboard and I expect that it stays there and doesn’t get uploaded to some webserver without my knowledge. Blaming the user for such secutiry flaws is an evidence of incapacity.
If there’s a popup “Do you want to allow other computers to access your clipboard” and the user clicks “Yes”, *then* you can blame him, but not any earlier. Especially not when the browser ships with such an option *enabled* by default.