clipboard exploit
-
I wondered what were the reasons Microsoft implemented copy/paste clipboard methods in JScript to be used in Internet Explorer rendered web pages. May be Microsoft integrated a bit too much the browser with the OS. After all, to me it's much like a security hole. This allows thefts to steal personal content. Clipboard content has often email adresses or other confidential information being carried. As such, it could do a lot of harm to victims. The issue arises when the victim shapes as virtually everyone surfing the web using Internet Explorer. And yet, we are not dealing with things like cross-site scripting or spoofed inter-frame access, which have been patched a while ago already (the best to do at this point is to make sure to download the latest browser version, and uncheck all ActiveX scripting boxes from the security tab). No. What I got running first locally, and then throughout my website, turned out to be the ability to steal the current clipboard content of visitors' computers without their consent. Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. I couldn't believe my eyes. But that was only the premise of it. It required 5 lines of javascript code, and a trigger, and all of this can be done silently while the surfer is browsing, regardless of his security level. What is giving me some sweat is that, actually, I believe the same could be done with a single javascripted url, like when you have an anchor executing inline code instead of an url. For instance, in message posts. Suddenly, it became apparent to me that all boards, not only CodeProject of course, were at threat and that nasty minds could really take advantage of the audience WITHOUT BEING SEEN. Not new probably, possible since Internet Explorer 4.0, but probably worth being reminded. [Edit]In case you wondered, this post is safe to click on.[/Edit]
-
I wondered what were the reasons Microsoft implemented copy/paste clipboard methods in JScript to be used in Internet Explorer rendered web pages. May be Microsoft integrated a bit too much the browser with the OS. After all, to me it's much like a security hole. This allows thefts to steal personal content. Clipboard content has often email adresses or other confidential information being carried. As such, it could do a lot of harm to victims. The issue arises when the victim shapes as virtually everyone surfing the web using Internet Explorer. And yet, we are not dealing with things like cross-site scripting or spoofed inter-frame access, which have been patched a while ago already (the best to do at this point is to make sure to download the latest browser version, and uncheck all ActiveX scripting boxes from the security tab). No. What I got running first locally, and then throughout my website, turned out to be the ability to steal the current clipboard content of visitors' computers without their consent. Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. I couldn't believe my eyes. But that was only the premise of it. It required 5 lines of javascript code, and a trigger, and all of this can be done silently while the surfer is browsing, regardless of his security level. What is giving me some sweat is that, actually, I believe the same could be done with a single javascripted url, like when you have an anchor executing inline code instead of an url. For instance, in message posts. Suddenly, it became apparent to me that all boards, not only CodeProject of course, were at threat and that nasty minds could really take advantage of the audience WITHOUT BEING SEEN. Not new probably, possible since Internet Explorer 4.0, but probably worth being reminded. [Edit]In case you wondered, this post is safe to click on.[/Edit]
-
I wondered what were the reasons Microsoft implemented copy/paste clipboard methods in JScript to be used in Internet Explorer rendered web pages. May be Microsoft integrated a bit too much the browser with the OS. After all, to me it's much like a security hole. This allows thefts to steal personal content. Clipboard content has often email adresses or other confidential information being carried. As such, it could do a lot of harm to victims. The issue arises when the victim shapes as virtually everyone surfing the web using Internet Explorer. And yet, we are not dealing with things like cross-site scripting or spoofed inter-frame access, which have been patched a while ago already (the best to do at this point is to make sure to download the latest browser version, and uncheck all ActiveX scripting boxes from the security tab). No. What I got running first locally, and then throughout my website, turned out to be the ability to steal the current clipboard content of visitors' computers without their consent. Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. I couldn't believe my eyes. But that was only the premise of it. It required 5 lines of javascript code, and a trigger, and all of this can be done silently while the surfer is browsing, regardless of his security level. What is giving me some sweat is that, actually, I believe the same could be done with a single javascripted url, like when you have an anchor executing inline code instead of an url. For instance, in message posts. Suddenly, it became apparent to me that all boards, not only CodeProject of course, were at threat and that nasty minds could really take advantage of the audience WITHOUT BEING SEEN. Not new probably, possible since Internet Explorer 4.0, but probably worth being reminded. [Edit]In case you wondered, this post is safe to click on.[/Edit]
Just FYI, you can disable copy/paste via script, although it's tough to find. IE Options->Security->Custom Level->scroll down to Scripting section->Allow paste operations via script The only web site I've ever seen mess with the clipboard is tinyurl.com[^] [nn,ws] which is innocuous but I don't like anyone messing with the clipboard, since it's an irreversible operation. :mad: --Mike-- "I'm working really, really fast at the moment, so a 3 minute outage becomes, due to time dilation, a 5 minute outage." -- Chris Maunder, relativistic system administrator Ericahist | Homepage | RightClick-Encrypt | 1ClickPicGrabber
-
Javascript is hell! :-D
We do not inherit the Earth from our ancestors, we borrow it from our children - Antoine de Saint-Exupéry (1900-1944)
To be accurate, copy/paste is not part of ECMA Javascript. It is really originated by the MS JScript implementation.
-
Just FYI, you can disable copy/paste via script, although it's tough to find. IE Options->Security->Custom Level->scroll down to Scripting section->Allow paste operations via script The only web site I've ever seen mess with the clipboard is tinyurl.com[^] [nn,ws] which is innocuous but I don't like anyone messing with the clipboard, since it's an irreversible operation. :mad: --Mike-- "I'm working really, really fast at the moment, so a 3 minute outage becomes, due to time dilation, a 5 minute outage." -- Chris Maunder, relativistic system administrator Ericahist | Homepage | RightClick-Encrypt | 1ClickPicGrabber
Thanks voter! :-)
-
I wondered what were the reasons Microsoft implemented copy/paste clipboard methods in JScript to be used in Internet Explorer rendered web pages. May be Microsoft integrated a bit too much the browser with the OS. After all, to me it's much like a security hole. This allows thefts to steal personal content. Clipboard content has often email adresses or other confidential information being carried. As such, it could do a lot of harm to victims. The issue arises when the victim shapes as virtually everyone surfing the web using Internet Explorer. And yet, we are not dealing with things like cross-site scripting or spoofed inter-frame access, which have been patched a while ago already (the best to do at this point is to make sure to download the latest browser version, and uncheck all ActiveX scripting boxes from the security tab). No. What I got running first locally, and then throughout my website, turned out to be the ability to steal the current clipboard content of visitors' computers without their consent. Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. I couldn't believe my eyes. But that was only the premise of it. It required 5 lines of javascript code, and a trigger, and all of this can be done silently while the surfer is browsing, regardless of his security level. What is giving me some sweat is that, actually, I believe the same could be done with a single javascripted url, like when you have an anchor executing inline code instead of an url. For instance, in message posts. Suddenly, it became apparent to me that all boards, not only CodeProject of course, were at threat and that nasty minds could really take advantage of the audience WITHOUT BEING SEEN. Not new probably, possible since Internet Explorer 4.0, but probably worth being reminded. [Edit]In case you wondered, this post is safe to click on.[/Edit]
I think you've pointed out a a very legit risk because lot's of people save all their passwords etc in a text file and copy and paste them into a website. For example, we have online banking and it's much easier to copy and paste those long numbers rather than typing them. I know that's probably not a good idea all around to save all the passwords in a text file, but I have probably over 300 now and I'm too lazy to write a password database program. I'm disabling it now, thanks for the head's up. ------------
-
Just FYI, you can disable copy/paste via script, although it's tough to find. IE Options->Security->Custom Level->scroll down to Scripting section->Allow paste operations via script The only web site I've ever seen mess with the clipboard is tinyurl.com[^] [nn,ws] which is innocuous but I don't like anyone messing with the clipboard, since it's an irreversible operation. :mad: --Mike-- "I'm working really, really fast at the moment, so a 3 minute outage becomes, due to time dilation, a 5 minute outage." -- Chris Maunder, relativistic system administrator Ericahist | Homepage | RightClick-Encrypt | 1ClickPicGrabber
-
Just FYI, you can disable copy/paste via script, although it's tough to find. IE Options->Security->Custom Level->scroll down to Scripting section->Allow paste operations via script The only web site I've ever seen mess with the clipboard is tinyurl.com[^] [nn,ws] which is innocuous but I don't like anyone messing with the clipboard, since it's an irreversible operation. :mad: --Mike-- "I'm working really, really fast at the moment, so a 3 minute outage becomes, due to time dilation, a 5 minute outage." -- Chris Maunder, relativistic system administrator Ericahist | Homepage | RightClick-Encrypt | 1ClickPicGrabber
Michael Dunn wrote: The only web site I've ever seen mess with the clipboard The point is : webmasters could do this if they want, but the situation is anyone posting on the board could add inline script in their posts, signature or whatever might actually get published. While apparently only a few sites use it (who knows?), admittedly subscribers would immediately resign if they knew such thing was being done, the threat is much greater in scale since it questions the ability to safely read board posts.
-
I think you've pointed out a a very legit risk because lot's of people save all their passwords etc in a text file and copy and paste them into a website. For example, we have online banking and it's much easier to copy and paste those long numbers rather than typing them. I know that's probably not a good idea all around to save all the passwords in a text file, but I have probably over 300 now and I'm too lazy to write a password database program. I'm disabling it now, thanks for the head's up. ------------
Nobody cares about the clipboard, because it is so hidden underneath. But the truth is, as you said, virtually everything gets through it. The additional point about clipboard content theft is that in my php page redirection I also log the referrer and the query string, which gives an amazing amount of qualified information. Last point, the issue is not about webmasters who would deliberately do this. The issue is about people who would post messages with such script embedded in their posts. As such, there are ways to make sure the script gets activated anytime a reader gets the page. Hope this clarifies the situation.
-
Michael Dunn wrote: The only web site I've ever seen mess with the clipboard The point is : webmasters could do this if they want, but the situation is anyone posting on the board could add inline script in their posts, signature or whatever might actually get published. While apparently only a few sites use it (who knows?), admittedly subscribers would immediately resign if they knew such thing was being done, the threat is much greater in scale since it questions the ability to safely read board posts.
Stephane Rodriguez. wrote: but the situation is anyone posting on the board could add inline script in their posts, signature or whatever might actually get published. Not on this board, AFAIK scripts are removed from posts ;) - Anders Money talks, but all mine ever says is "Goodbye!"
-
Stephane Rodriguez. wrote: but the situation is anyone posting on the board could add inline script in their posts, signature or whatever might actually get published. Not on this board, AFAIK scripts are removed from posts ;) - Anders Money talks, but all mine ever says is "Goodbye!"
Anders Molin wrote: Not on this board, AFAIK scripts are removed from posts I'll let readers decide by themselves whether it's impossible to have script activated by using board posts.
-
I wondered what were the reasons Microsoft implemented copy/paste clipboard methods in JScript to be used in Internet Explorer rendered web pages. May be Microsoft integrated a bit too much the browser with the OS. After all, to me it's much like a security hole. This allows thefts to steal personal content. Clipboard content has often email adresses or other confidential information being carried. As such, it could do a lot of harm to victims. The issue arises when the victim shapes as virtually everyone surfing the web using Internet Explorer. And yet, we are not dealing with things like cross-site scripting or spoofed inter-frame access, which have been patched a while ago already (the best to do at this point is to make sure to download the latest browser version, and uncheck all ActiveX scripting boxes from the security tab). No. What I got running first locally, and then throughout my website, turned out to be the ability to steal the current clipboard content of visitors' computers without their consent. Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. I couldn't believe my eyes. But that was only the premise of it. It required 5 lines of javascript code, and a trigger, and all of this can be done silently while the surfer is browsing, regardless of his security level. What is giving me some sweat is that, actually, I believe the same could be done with a single javascripted url, like when you have an anchor executing inline code instead of an url. For instance, in message posts. Suddenly, it became apparent to me that all boards, not only CodeProject of course, were at threat and that nasty minds could really take advantage of the audience WITHOUT BEING SEEN. Not new probably, possible since Internet Explorer 4.0, but probably worth being reminded. [Edit]In case you wondered, this post is safe to click on.[/Edit]
Stephane Rodriguez. wrote: Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. Only if you give the site your email address to begin with. cheers, Chris Maunder
-
Stephane Rodriguez. wrote: Technically, the content is automatically redirected to a target php script page where it is used to make an email, sent back to me. Only if you give the site your email address to begin with. cheers, Chris Maunder
Yeah, the target page is hosted by my very site. I have no real trouble giving an address to send the emails to.