Forgot your password?
typodupeerror
Internet Explorer Microsoft Programming The Internet IT Technology

Clipboard Data Theft Now Optional With IE7 162

Posted by Zonk
from the options-are-good dept.
An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."
This discussion has been archived. No new comments can be posted.

Clipboard Data Theft Now Optional With IE7

Comments Filter:
  • not quite (Score:5, Insightful)

    by pchan- (118053) on Thursday December 21, 2006 @04:10PM (#17328790) Journal
    Firefox, Opera and most other non-IE browsers forbid this behavior by default

    No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".
    • Re: (Score:3, Informative)

      by ruiner13 (527499)
      I could be wrong, but I think I remember a setting in Firefox's about:config page that allows you to enable sites to access the clipboard. This may have been removed, but I think it was in there at least in FF 1.0. There is still something called clipboard.autocopy in there in FF 2.0.0.1, I don't recall if this is the same setting.
      • Re: (Score:3, Informative)

        by Thansal (999464)
        quick google tells us that clipboard.autocopy is a *nix only option that automaticly copies seleced text to the clipboard.
      • Re: (Score:3, Informative)

        by Binestar (28861)
        clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.

        signed.applets.codebase_principal_support Gives scripts using codebase principals access advanced scripting capabilities. Basically, it allows signed applets out of the sandbox because they've promised to play nice. One of the main uses of this (according to the help page) is to allow IRC applications access to your clipboard.

        http://kb.mozillazine.org/Firef [mozillazine.org]
    • Re: (Score:3, Informative)

      by liquidpele (663430)
      Actually, I wrote an intranet site that uses this feature. For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway. I agree for normal internet sites there is no need though. You can also enable it through firefox advanced parameters in about:config, but I don't have the link to that information at the moment.
      • Re: (Score:2, Funny)

        by silentounce (1004459)

        Actually, I wrote an intranet site that uses this feature. For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway. I agree for normal internet sites there is no need though.You can also enable it through firefox advanced parameters in about:config, but I don't have the link to that information at the moment.
        That's ok, give me your url and I'll stop by and drop it off.
      • by jesser (77961)
        Do you know what other "security holes by design" Flash has? Or other widely used plugins, for that matter?

        I first became aware of this particular one when mkaply filed bug 360950 [mozilla.org], and I've been trying to figure out how to incorporate it into Security tips for Firefox users [squarefree.com].
      • by a.d.trick (894813)

        For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway.

        Well no, because (thank God) Flash is not installed by default. Also, this security bug in Flash. Plugins have just as much control over your computer as Firefox does (this is how it works with any browser) and it is up to the plugin's authors to keep their plugin secure. Macromedia/Adobe have failed but they probably couldn't care less. That's why plugin

    • Re:not quite (Score:5, Informative)

      by uncommonlygood (764935) on Thursday December 21, 2006 @04:37PM (#17329230)

      Don't know about the others, but firefox definitely does implement it [mozillazine.org], it's just off by default.

    • Re:not quite (Score:5, Insightful)

      by AchiIIe (974900) on Thursday December 21, 2006 @04:45PM (#17329330)
      Not so fast. Have you tried using google spreadsheets? Try -- then try selecing something, right click and select "Copy", or "Paste"
      - Whoah, you can't copy paste unless you manually do CTRL-V, or CTRL-X/C

      I gave up on using word/openoffice I simply use writely for all my documents. I've had documents being edited with up to 50 people just fine.
      Think twice before blindly bashing microsoft. There are some of us that want that "feature"
      • I can cut and paste from my browser too and it doesn't support this 'feature'. Or does Google Office reimplement cut and paste ignoring the fact that GUI has it built in already?
        • Re: (Score:2, Informative)

          by AchiIIe (974900)
          Keep in mind, this is an Ajax app, the "GUI" does not know about the internal schema that google spreadsheets uses. I'm not talking about just copying some text, when using spreadsheets you may want to copy a whole row, or a table - formulas formatting & all the works so you can paste it in excel/openoffice/gnumeric In this case you Have to give access the the javascript application so that it can construct the correct representation and place it in the clipboard.
          • Yeh *blush* I see what you mean. I'll check it out before I post next time.
          • Actually, using Ctrl+C and pasting it into an OpenOffice spreadsheet yields the same results as using the AJAX copy button in IE7 and allowing clipboard access. Both lose the formatting, but copy the data into the correct cells.

            Still, IE7's way does seem better in this case.
      • Re:not quite (Score:4, Informative)

        by master_p (608214) on Thursday December 21, 2006 @07:28PM (#17331540)
        But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.
    • by Somatic (888514) on Thursday December 21, 2006 @04:52PM (#17329442) Journal
      Public: What on earth would motivate you to implement such a thing?

      MS: It seemed like a good idea at the time.

      Public: In what way did it seem like a good idea?

      MS: Well, maybe not a good idea, but an idea.

      Public: So thinking was involved.

      MS: Well, it was more like inspiration.

      Public: ...

      MS: They throw chairs at us. Help. Please.

      • by DaoudaW (533025)
        Public: ...

        MS: They throw chairs at us. Help. Please.


        Funny, I always thought it M$ that threw chairs [google.com].
        • by Somatic (888514)
          Yeah, that last line was supposed to be the voice of the MS programmers. Sometimes I wish we had edit buttons round here.
    • My god, I don't know how I've missed this one. It's the most scary thing I've seen in a long time. I like to think I'm pretty savvy, and I stay up with all of the latest scoop, but this is the first I've read about this gaping security hole.

      For the past half hour, I've been showing people I work with this exploit (I'm sorry, I refuse to call it a "feature"), and everyone's been forwarding e-mails to their home account with two pieces of information: 1) The ScriptingMagic site URL to play with at home an

    • Re: (Score:3, Insightful)

      by Tim C (15259)
      They DON'T IMPLEMENT such a stupid idea.

      Well, Firefox does [mozillazine.org], although it's off by default and requires a site to be whitelisted. Globally allowing silent access to the clipboard is shockingly bad, though, even if in the vast majority of cases the contents will be perfectly benign; it speaks volumes about the general attitude towards security.
    • No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".

      The "feature" in question is the following JavaScript snippet:

      document.execCommand('paste', false, false);
      // where document is any document object having designMode="on"

      Firefox throws an exception "Access to XPConnect service denied" and Opera 9 claims no support (throwing "NOT_SUPPORTED_ERR"). 'copy' and 'cut' throw similar exceptions.

      So, yes, Mozilla DOES IMPLEMENT this "stupi

  • Probably? (Score:5, Insightful)

    by ifrag (984323) on Thursday December 21, 2006 @04:12PM (#17328818)
    How is something like this only "probably ill-advised".
    This is beyond complete stupidity. I probably can't even count the number of times I've had security sensitive stuff in the clipboard.
    • by pclminion (145572)

      It's probably NEVER a good idea to keep sensitive data in the clipboard. You never know when that particular chunk of memory might get swapped out to disk. When that happens, your "secure" data is now sitting in plaintext form inside your swap file. Secure data really needs to be handled only by secure applications (with appropriate memory pins to prevent sensitive data from going out to an unencrypted volume). The clipboard is definitely not something I'd consider for that purpose.

      I've grepped for my ema

      • by jesser (77961) on Thursday December 21, 2006 @05:07PM (#17329690) Homepage Journal
        You're worried that if someone steals your laptop, they might be able to find your email address and spam you?
        • Re: (Score:3, Informative)

          by pclminion (145572)

          You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

          First of all, I said email PASSWORD, not address. Somebody could steal my laptop and read my email and send email from my account. That would require them to be able to discern the password in all the millions of bytes of swap data, but I can imagine writing a program that could scan for candidates.

          If my email password happened to be equal to my main account password (as can happen due to cert

          • by jesser (77961)
            Sorry, I misread your comment. Makes me wonder how I got modded up, making fun of you for something you didn't say ;)

            But more seriously...

            I think it's pretty hard for applications to manipulate data (even passwords) in a way that guarantees they are never written to a swap file. And that's assuming your computer is *off* when it's stolen; it takes even more care to ensure the data doesn't remain in memory.

            If you're paranoid enough to want to protect that data, though, why not encrypt your entire user acco
      • Simple solution: use enough ram so you don't need the swap file. Unless you're in Ubuntu (and maybe others), which, iirc, doesn't let you not use one.
        • Simpler solution: Click the "use secure virtual memory" button in OS X. You can set up similar schemes for other operating systems as well with a bit of effort.
    • I wonder. Why aren't they going to fix this for IE6?
  • by Squapper (787068)
    ...what on earth where they thinking in the first place?
    • Methinks MS is secretly in cahoots with the spam, porn industry and mafia.

      "Oh... we uhh.. put in a huge security hole?? Whoopsiedoodle!! Tee hee hee...Sorry."
  • Thank God it's no longer compulsory!

    Thanks MS!
  • Can't Believe It (Score:3, Insightful)

    by endianx (1006895) on Thursday December 21, 2006 @04:15PM (#17328866)
    I had no idea that was possible. I would never have imagined they would do something so stupid, even Microsoft. What other "features" do they have that I don't know about? I fear to think.
    • by CastrTroy (595695)
      I've known about this feature for a long time. I once had thoughts of implementing a feature into my site where I automatically got the information off the clipboard and sent it to my server, just to see what I could pick up. I decided not to, however, I'm sure many people are not as honest as I am.
  • by Anonymous Coward on Thursday December 21, 2006 @04:19PM (#17328930)
    Please PLEASE, let this warning be issued by Clippy. Such a stupid feature necessitates an equally stupid user interface.

    "It looks like h4XX0R5.net would like to see what's on your clipboard."

    /nostalgic for Clippy
  • by PingSpike (947548) on Thursday December 21, 2006 @04:21PM (#17328962)
    Internet Explorer:
    Send personal data to unknown source? Click Ok to continue.
  • Why? (Score:3, Insightful)

    by Archangel Michael (180766) on Thursday December 21, 2006 @04:29PM (#17329080) Journal
    I mean why is it even "optional"? I cannot even think of a reason why ANY website would need access to my clipboard stuff, under any circumstances!

    [new phishing scam]
    Open text document, type in password, copy the password to clipboard, click this link, and we'll verify that your password matches the one in our file. Honest!
    • Re: (Score:3, Interesting)

      by karmatic (776420)
      It's sometimes conveinent to be able to _put_ things in the clipboard. TinyURL uses this feature to automatically copy the generated link to the clipboard for pasting. I've also seen an IRC search engine that pre-copied the file transfer commands for you.

      I still can't see a good reason to let the web page automatically get clipboard data. If you need it that badly, throw up a text box, and have the user hit paste.
      • by jesser (77961)
        It may be convenient, but it's also a severe security hole. If you paste anything from an untrusted site into a terminal window or into mIRC, you're owned. (I make this point on Security tips for Firefox users [squarefree.com].) If web sites were able to put data on your clipboard without your knowledge (e.g. without you pressing Ctrl+C), it would be even worse.
      • by Onan (25162)

        I'm sorry, but allowing global write access to my clipboard is also multiple types of insane:

        Clobbering my clipboard destroys whatever information I had on it. Given that my system does not habitually destroy that for no good reason, sometimes that's unique information that I don't have anywhere else. I don't want it poofed by some web site being "helpful".

        Clobbering my clipboard ensures that the next time I paste, something different will happen than what I expected. Obviously this can be leveraged into th
      • I could see a need for a web page to run some script to process data when I press Ctrl+V, perhaps being able to process a different type of clipboard data than just text. BUT there's no way in hell it should be possible to get that data if I didn't press Ctrl+V.
    • Re: (Score:3, Insightful)

      by enharmonix (988983)

      I mean why is it even "optional"? I cannot even think of a reason why ANY website would need access to my clipboard stuff, under any circumstances!
      http://docs.google.com/ [google.com]
  • by Anonymous Coward

    I've said it before, and I'll say it again: half of MS's security problems are stupid defaults. You've been able to disable "allow paste from script" in IE for ages now, but it's ENABLED BY DEFAULT. Stupid, STUPID, STUPID!!!

    Now, if they would just unhide extensions by default, and disable ActiveX by default except for pages on the trusted list (or just get rid of ActiveX totally, but I realize that'd be asking for too much), and get rid of a few other stupid defaults that I always uncheck on a new inst

  • by Target Drone (546651) on Thursday December 21, 2006 @04:30PM (#17329100)
    If I read the articles correctly it seems there are 2 ways to access the clipboard data.
    1. Via the javascript windows.clipboard object.
    2. You embed an active-x spreadsheet in your page (which gets installed with office) then java script can call a method to paste the contents of the clipboard into a cell in the spreadsheet.
    Anyone know if both methods are now fixed? The Washington Post article doesn't seem to say.
    • by lostboy2 (194153) on Thursday December 21, 2006 @05:15PM (#17329808)
      Not "fixed" (as in removed), but apparently you can turn it off [microsoft.com] in IE4 through IE6.
      • by lostboy2 (194153)
        Oh, now that's funny: disabling the "Allow paste operations via script" option in IE6 breaks the "copy & paste" feature in Yahoo Mail Beta. GMail and regular Yahoo Mail still works fine though.

  • by Joebert (946227)
    ... before someone ignores that little "This is a Phishing site you fucking moron !" indicator & clicks "ok" for this prompt.

    Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access".
  • by wumpus188 (657540) on Thursday December 21, 2006 @04:35PM (#17329198)
    yy
    p
  • I lot of people playing WoW have said they used cut-and-paste on their password to avoid key loggers. (yea real smart having it in plain text in another file anyways). I wonder if they know about this vulnerability.
    • by nuzak (959558)
      Virtually all malware that installs a keylogger probably installs a clipboard watcher too. Most of them ALSO sniff passwords on the wire too (though I doubt they're sniffing WoW's protocol stream). You can try copying and pasting pieces of the password out of order. No one's going to bother reassembling it when there's easier targets for less effort. Better yet you can use a machine that you're more confident hasn't been rootkitted.
  • by EXTomar (78739) on Thursday December 21, 2006 @04:38PM (#17329242)
    Once again Microsoft instead of recognizing a bug decides unplanned behavior is trying to treat it like a feature. Most other designers would call this a bug but but there is something else beyond the definition. What possibly earthly reason would there be for a server to request the content of client's clipboard?? I'm having an extremely hard time imagining a use case for such an event even with Ajax web applications.

    So instead of fixing the bug, they treat it like a feature and ask for confirmation. This behavior by default should never be allowed in any context let alone a web/internet one. Asking for user confirmation on an action not allowed is silly and yet another scary dialog where the user won't bother reading or understanding the warning and just click "Yes" to dismiss and continue on their browsing.

    I hate sounding negative when talking about Microsoft's technology but it is stances like this that make it so hard to avoid.
    • Re: (Score:3, Insightful)

      by Abcd1234 (188840)
      Once again Microsoft instead of recognizing a bug decides unplanned behavior is trying to treat it like a feature.

      Actually, what's sad is that this *really was a feature*! A bug implies unintended behaviour. But clearly, they *meant* it to work this way.
    • by jesser (77961)
      What possibly earthly reason would there be for a server to request the content of client's clipboard?? I'm having an extremely hard time imagining a use case for such an event even with Ajax web applications.

      Usually, the site wants to offer an alternate user interface for the Paste command.

      The most common example is a WYSIWYG editing box with a 'B' button, an 'I', button, etc. Maybe they think users expect Cut/Copy/Paste buttons on any toolbar that includes text-styling commands, and won't think to use th
  • by Zarjay (891644)

    Why didn't Microsoft just fix the problem instead of adding a user confirmation prompt? Why is it important for IE to allow websites to get clipboard data from users?

    That's a screwy way of fixing a security defect, if you ask me.

    • Fixing it required adding a dialog with two buttons - "Yes | No".

      I mean, how much time it took you the first time you added a dialog and two buttons to a program? It's understable that it took them 3-4 years to implement and test!
    • by Shados (741919)
      The problem isn't that. The feature is there so you can add usuability features to your site. Like a better, and customised "right click" menu, for example with data grids, or text editors. A way to, let say, parse Word clip board and strip formatting. Pasting HTML with a special formatting. You name it. Its useful.

      The problem is that since this is accessible in javascript, you could, let say, paste that data in a hidden field, so that when a user post a form, it will post their clipboard. Or use Ajax to pu
  • For a second there I thought summary said: "IE7 throws up a warning asking whether users really want to let a site felch their clipboard data."
  • example (Score:2, Informative)

    by c00rdb (945666)
    here's a site that has a valid use for the paste part of the exploit. not sure about the retrieval part... (works on firefox too) www.2prong.com
    • Re: (Score:3, Informative)

      by fbjon (692006)
      That site works in Opera too, incidentally, but it's not an example of the security hole. It can only overwrite the content in the clipboard, not copy it back, so it's not a problem. Though perhaps a mild annoyance if you happen to store all your important data and private keyfiles in there.
  • by eno2001 (527078) on Thursday December 21, 2006 @05:05PM (#17329666) Homepage Journal
    It's not like people are gonna be able to get anything valuable out of the cut and paste buffer. It's like what? 8k max? And how many people cut and paste valuable things like password, credit card numbers, user IDs, and the like anyway. The most any hacker will get would be part of someone's goofy school paper, a portion of an e-male, maybe at worst a URL (GASP!). This is so like a non-issue. As if...

    [SLASHDOT CLIPBOARD IE7 CONTENT DUMP for User eno2001]:

    eno2001 14m431337h4ck3r (419)555-2727
    Look at this later: http://www.iheartfurries.com/ [iheartfurries.com]

    ub3rsm00vem4l3: So baby... my wife's out of town the whole weekend. Cum over and play?
    SororityBabe6500000: Oh yeah! Let's party!

    Books to read: How to Build a Nukyelar Bomb in Your Basement for Less than the cost of a Washing Machine, Trisexuals are People Too: A Study in Prejudice, How to Win an Election the Easy Way (Diebold Hacking)

    Important investment info: Steve B said I should sell the Novell stock early next week. Remember to tell Feingold ASAP.

    [END SLASHDOT IE7 CLIPBOARD CONTENT DUMP]
  • Only in Opera (Score:2, Interesting)

    by ZPWeeks (990417)
    I regularly hop between Firefox, IE7, and Opera. Call me indecisive. My university, like many, uses WebCT pretty extensively. Some places deliver quizzes, exams, and assignments solely through WebCT. The program uses this clipboard function somehow- I assume to watch for plagiarism. It's one of the very few ways I wouldn't object to this "feature". The only browser to ever notify me of WebCT looking at my clipboard was Opera. Probably for this reason, WebCT warns of "incompatibility" with opera, but still a
  • Workaround for IE6 (Score:2, Informative)

    by edraven (45764)
    Change the security setting for "Allow paste operations via script" to "Prompt". Now it'll ask you every time a script interacts with the clipboard, as near as I can tell. For example, when you're pasting text into the form on Google Maps, it'll ask you if that's okay even though it's you the user requesting the paste operation. But pasting into the Post Comment form here on slashdot does not.

    This has an interesting side effect on the "harmless" exploit page mentioned in the article, though. The script on t
  • I am by no means fond of Microsoft, but darn . . . never would I have guessed that they had ever implemented such a feature. I mean . . . I have been working with the assumption that MS has really smart guys, but the higher ups are just total scumbags. But how could anyone willfully implement such a thing into a publicly consumed product? This for me is a new low.
    • Re: (Score:2, Troll)

      by dave420 (699308)
      Well, Firefox has the same feature, so I guess you have to be angry with them, too.
  • My IE7... (Score:2, Informative)

    by sheepoo (814409)
    ...did not prompt me!
  • by Anonymous Coward
    I think the reason they finally did this was to make it harder to use Google docs and spreadsheets--very annoying to get a prompt every time you copy/paste a cell in the sheet.
  • I don't know if this has been commented on already, but there is an option in the IE settings that controls this setting. Does no-one on /. ever go through application settings first? Under scripting: "Allow programmatic clipboard access" I think it is.

    Unless this is something completely different... (Oh, and please fill in my survey for my dissertation! http://www.survey.flere.co.uk/ [flere.co.uk] :) It's about online shopping and only takes less than 10 minutes! Thanks)
    • by freeweed (309734) on Thursday December 21, 2006 @06:28PM (#17330908)
      Does no-one on /. ever go through application settings first?

      Yes.

      Do we even know about, let alone go through all 5,000 braindead security settings that Windows seems to have these days? Hell no. After a while, you have to assume a vendor would do SOMETHING right. This one floored me completely. I thought a dozen open network ports on a home desktop OS was stupid, but this is beyond belief.

      Things like this are why I moved to Linux. It's simply impossible to keep up with every idiotic setting that needs to be changed after a default Windows install.
  • Ironic. (Score:2, Insightful)

    by lukateake (619282)
    Since the offending script stealing my clipboard will only be grabbing itself since I just came to the site to see how they implement clipboard access in JavaScript.

It's later than you think, the joint Russian-American space mission has already begun.

Working...