Internet Explorer Clipboard Vulnerability
Are you using the Microsoft Internet Explorer? You may be shocked by the following example of how insecure the Internet Explorer browser really is. Copy some text to the Windows Clipboard. You can use the text that you are just reading or any other text that you come across. Now visit the IE Clipboard Test website and see what happens.
Update: Please note that the website is no longer available. You can try out
If you run Internet Explorer 7 you will be asked if you want to allow Internet Explorer access to your clipboard, if you run a previous version you will not be asked at all. If you say yes or use a previous version the contents of your clipboard are displayed on the website.
This means that a website can read (and thus store) information that are stored in the Windows Clipboard. It gets better. Stay on that website and copy another text to your clipboard. You will see that the new text will appear as well on the demonstration website.
You can bet that webmasters with malicious intents are not so nice to display the contents of your clipboard all the time, they will try to use that information again you.
Your only choice? Upgrade to Internet Explorer 7 if you are using an older version or switch to Opera and Firefox. You could also disable JavaScript in Internet Explorer but a lot of websites use JavaScript and they could stop working as well.
Newer versions of Internet Explorer, that includes IE7 but also IE11, have set the feature to prompt, which means that you will receive a notification whenever a site or service wants to access the contents of the clipboard.
To manage this, open the Internet Options in Internet Explorer, switch to the Security tab, and click on custom level next to the zone that you want to modify.
Locate Scripting here, it should be near the bottom of the page, and check for the preference "Allow Programmatic clipboard access". It should be set to prompt or disable.
Update: Note that newer versions of Internet Explorer have been released and that you should update the browser on your system to make sure your system is protected and running a better version of the browser.
For Windows XP, that is Internet Explorer 8. Windows Vista users can download and install Internet Explorer, as can Windows 7 users who also get access to Internet Explorer 10 in the near future.
Advertisement
yes yes, JoJo you seem like an “intellect”. so i’ll try to make this not so insulting. MS would make more money if they had a better product . look at Apple they released and update and they are actually charging for it hmmmm, it must be worth it. Plus, MS or software companies make most of their money off of licensing their product to huge corporations. But, when an inferior product such as , let’s say VISTA, for an example, people will be “upgrading” by migrating back to XP. which makes no sense whatsoever, cuz then MS wouldn’t be making any money and will have to support the “old releases”. and frankly i don’t care how far you can piss.
@D3 – I use FF. But IE is installed by default and you generally need it to access sites that rely on active-x controls, like Microsoft, unless you want to use that FF add-in that allows active-x to run, which I don’t.
No consumer software can ever be entirely secure. MS, like all other software vendors, is bound by the base code for Windows. Even Vista is just more code added on top of the old WinNT base which was developed when, 1991 or so?
The only real way to improve security would be to rewrite the OS from the ground up. I’d like to see MS do this as I believe that the OS could be more stable and more maintainable were they to do so. You can only put so many band-aids on.
Meanwhile, I don’t what the problem is here? Do you want software vendors to support old releases of software forever? If people don’t buy new releases, how does the company pay the bills and stay in business?
And that JoJo, is why one should NOT use IE7 or IE in general. I didnt have this problem in FF.
But the Fact remains, that if you use a microsoft product you may have compromised functionality. Why would/should a user be subjected to less than secure software? I’m aware all software can be compromised, just in MS’ case it’s more so.
And that Martin, is why one should upgrade to IE7. People hate change though so they come up with objections as to why they don’t/can’t upgrade.
But the fact remains that if you don’t upgrade, you may have limited functionality. Why would/should a vendor support old code? It takes resources and complicates maintenance.
JoJo that is what I said :P The problem, the real one besides the fact that many users would simply click Yes on that message assuming that it was necessary to display the page, is that IE6 and previous versions do not ask that question.
No alert at all for the user. And that is scary.
OK, tried it again. No problems in FF (my default browser).
In IE7, I get a prompt as follows:
Do you want to allow this webpage to access your Clipboard?
If you allow this, the webpage can access the Clipboard and read information that you’ve cut or copied recently.
If I reply no, then no problems. If I reply yes, they I can see the clipboard text.
So, don’t click yes and allow the browser to access the clipboard. Problem solved.
wow, I’m speechless. tried it with both firefox and ie7 , didnt work with ff but did with IE7.
I followed the steps and now my laptop is dead, the disk was formated. IE is really dangerous.. What to do now, Martin?
.. just kidding :D
Well the explanation on the website is not that important. If you see your clipboard on that site, that is ;)
I visited the IE Clipboard Test link. But it is in German and I can’t read German [lol]
Like some people say – “Don’t use IE, IE is evil” ;)
This vulnerability also exists in all browsers with a Flash plugin – at least for writing to the clipboard (not sure about reading the clipboard contents, which is obviously more sensitive).
There are some perfectly sensible applications for this (e.g. copying code blocks to the clipboard), but it is an issue one should be aware of.