-
1
- #1
Browsing the internet with Internet Explorer can expose your Windows clipboard if the appropriate IE setting is not disabled or set to force a prompt before allowing paste operations via script. Note, I'm not familiar enough with other browsers to say whether they also could have this issue.
This clipboard vulnerability had originally been reported and demonstrated on but it seems to be offline or delisted now. Here is the news article about it:
In case you didn't know, the IE user does expose his Windows clipboard to the worldwideweb when he goes browsing if a paste setting in Internet Explorer is enabled. It defaults to "Enable" for all security levels except High where it is disabled. There is a third setting "Prompt" but in all cases this must be set manually by the computer user. All who browse the Internet ought to make sure to set it to "Prompt" if they have a lower security level set.
Here is an example of someone who is currently reading and/or changing the clipboard via IE without any upfront notification to the viewer of the page. First, before going there, be sure to set your IE Tools, Internet Options, Security tab, Custom Level button, Scripting, Allow paste operations via script, to "Prompt" or your clipboard contents may be read and changed without your knowledge. This link is to eBay where you can look at any of this seller's auctions and get the prompt "Do you want to allow this page to paste information from your clipboard? [Yes][No]".
What happens if I click on "Yes"? My clipboard is cleared and changed to a space! Was my clipboard read? Probably so, but since the user blocks the mouse' right-click, I cannot see the page's source code. I know there are ways to get around that, but I couldn't.
(Read entire post before clicking here!)
Auction site eBay has rules about proper seller conduct and this may have crossed the line, so they were advised in late July 2004. See similar thread760-888613. This behavior is as described up through today 8/16, but if it really is a no-no on eBay, then you may find it removed or fixed eventually if eBay takes action or the Power Seller stops.
Strangely, this is apparently not a new user, as this seller seems to have well over 7300 "satisfied" customers. If so, then he must have had literally many tens of thousands viewing his auction pages. The potential risk is that no one knows what is being done with the clipboard contents. While there may be other sellers reading and/or changing the user's Windows clipboard, this is the first I've encountered.
Microsoft made this Script pasting option with 3 settings, Disabled, Prompt and Enabled. If you set it to the highest security setting, it is Disabled, but in all other security settings it is Enabled. Why didn't MS set the medium or intermediate level security profiles to Prompt? Prompt is never used unless it is manually set.
Let the browser beware...
This clipboard vulnerability had originally been reported and demonstrated on but it seems to be offline or delisted now. Here is the news article about it:
In case you didn't know, the IE user does expose his Windows clipboard to the worldwideweb when he goes browsing if a paste setting in Internet Explorer is enabled. It defaults to "Enable" for all security levels except High where it is disabled. There is a third setting "Prompt" but in all cases this must be set manually by the computer user. All who browse the Internet ought to make sure to set it to "Prompt" if they have a lower security level set.
Here is an example of someone who is currently reading and/or changing the clipboard via IE without any upfront notification to the viewer of the page. First, before going there, be sure to set your IE Tools, Internet Options, Security tab, Custom Level button, Scripting, Allow paste operations via script, to "Prompt" or your clipboard contents may be read and changed without your knowledge. This link is to eBay where you can look at any of this seller's auctions and get the prompt "Do you want to allow this page to paste information from your clipboard? [Yes][No]".
What happens if I click on "Yes"? My clipboard is cleared and changed to a space! Was my clipboard read? Probably so, but since the user blocks the mouse' right-click, I cannot see the page's source code. I know there are ways to get around that, but I couldn't.
(Read entire post before clicking here!)
Auction site eBay has rules about proper seller conduct and this may have crossed the line, so they were advised in late July 2004. See similar thread760-888613. This behavior is as described up through today 8/16, but if it really is a no-no on eBay, then you may find it removed or fixed eventually if eBay takes action or the Power Seller stops.
Strangely, this is apparently not a new user, as this seller seems to have well over 7300 "satisfied" customers. If so, then he must have had literally many tens of thousands viewing his auction pages. The potential risk is that no one knows what is being done with the clipboard contents. While there may be other sellers reading and/or changing the user's Windows clipboard, this is the first I've encountered.
Microsoft made this Script pasting option with 3 settings, Disabled, Prompt and Enabled. If you set it to the highest security setting, it is Disabled, but in all other security settings it is Enabled. Why didn't MS set the medium or intermediate level security profiles to Prompt? Prompt is never used unless it is manually set.
Let the browser beware...
