Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Internet Explorer Microsoft Programming The Internet IT Technology

Clipboard Data Theft Now Optional With IE7 162

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."
This discussion has been archived. No new comments can be posted.

Clipboard Data Theft Now Optional With IE7

Comments Filter:
  • Re:not quite (Score:3, Informative)

    by ruiner13 ( 527499 ) on Thursday December 21, 2006 @04:22PM (#17328970) Homepage
    I could be wrong, but I think I remember a setting in Firefox's about:config page that allows you to enable sites to access the clipboard. This may have been removed, but I think it was in there at least in FF 1.0. There is still something called clipboard.autocopy in there in FF, I don't recall if this is the same setting.
  • Re:not quite (Score:3, Informative)

    by liquidpele ( 663430 ) on Thursday December 21, 2006 @04:25PM (#17329014) Journal
    Actually, I wrote an intranet site that uses this feature. For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway. I agree for normal internet sites there is no need though. You can also enable it through firefox advanced parameters in about:config, but I don't have the link to that information at the moment.
  • Re:not quite (Score:3, Informative)

    by Thansal ( 999464 ) on Thursday December 21, 2006 @04:27PM (#17329040)
    quick google tells us that clipboard.autocopy is a *nix only option that automaticly copies seleced text to the clipboard.
  • by Joebert ( 946227 ) on Thursday December 21, 2006 @04:30PM (#17329108) Homepage
    ... before someone ignores that little "This is a Phishing site you fucking moron !" indicator & clicks "ok" for this prompt.

    Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access".
  • Re:not quite (Score:3, Informative)

    by Binestar ( 28861 ) on Thursday December 21, 2006 @04:37PM (#17329222) Homepage
    clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.

    signed.applets.codebase_principal_support Gives scripts using codebase principals access advanced scripting capabilities. Basically, it allows signed applets out of the sandbox because they've promised to play nice. One of the main uses of this (according to the help page) is to allow IRC applications access to your clipboard. onfig_Entries []
  • Re:not quite (Score:5, Informative)

    by uncommonlygood ( 764935 ) on Thursday December 21, 2006 @04:37PM (#17329230)

    Don't know about the others, but firefox definitely does implement it [], it's just off by default.

  • example (Score:2, Informative)

    by c00rdb ( 945666 ) on Thursday December 21, 2006 @05:02PM (#17329628)
    here's a site that has a valid use for the paste part of the exploit. not sure about the retrieval part... (works on firefox too)
  • by lostboy2 ( 194153 ) on Thursday December 21, 2006 @05:15PM (#17329808)
    Not "fixed" (as in removed), but apparently you can turn it off [] in IE4 through IE6.
  • Workaround for IE6 (Score:2, Informative)

    by edraven ( 45764 ) on Thursday December 21, 2006 @05:15PM (#17329818)
    Change the security setting for "Allow paste operations via script" to "Prompt". Now it'll ask you every time a script interacts with the clipboard, as near as I can tell. For example, when you're pasting text into the form on Google Maps, it'll ask you if that's okay even though it's you the user requesting the paste operation. But pasting into the Post Comment form here on slashdot does not.

    This has an interesting side effect on the "harmless" exploit page mentioned in the article, though. The script on that page apparently loops continuously, so every time you answer (whether yes or no) the dialog is presented again. The dialog takes precedence over other IE controls, and as near as I can tell there's no way out short of terminating the browser.
  • Re:Probably? (Score:3, Informative)

    by pclminion ( 145572 ) on Thursday December 21, 2006 @05:18PM (#17329862)

    You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

    First of all, I said email PASSWORD, not address. Somebody could steal my laptop and read my email and send email from my account. That would require them to be able to discern the password in all the millions of bytes of swap data, but I can imagine writing a program that could scan for candidates.

    If my email password happened to be equal to my main account password (as can happen due to certain policies, but thankfully not in this case), that's quite a bit more serious. It makes me wonder what else might be lurking in the swap partition. When you type a password (like say, the root password for your main file server) into an application, you're really placing all your faith in that application to dispose of that data appropriately. So yeah, I'd be worried, especially in the context of a company, where it's easy to get your hands on a laptop that doesn't belong to you.

  • My IE7... (Score:2, Informative)

    by sheepoo ( 814409 ) on Thursday December 21, 2006 @05:24PM (#17329952)
    ...did not prompt me!
  • by a.d.trick ( 894813 ) on Thursday December 21, 2006 @05:31PM (#17330036) Homepage
    Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

    I think it's more acurate to say "appear convenient and powerful". There's nothing convient or powerful about data lost or computers infected with worms and trojans.

  • Re:not quite (Score:2, Informative)

    by AchiIIe ( 974900 ) on Thursday December 21, 2006 @05:44PM (#17330258)
    Keep in mind, this is an Ajax app, the "GUI" does not know about the internal schema that google spreadsheets uses. I'm not talking about just copying some text, when using spreadsheets you may want to copy a whole row, or a table - formulas formatting & all the works so you can paste it in excel/openoffice/gnumeric In this case you Have to give access the the javascript application so that it can construct the correct representation and place it in the clipboard.
  • Re:not quite (Score:4, Informative)

    by master_p ( 608214 ) on Thursday December 21, 2006 @07:28PM (#17331540)
    But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.
  • Re:example (Score:3, Informative)

    by fbjon ( 692006 ) on Thursday December 21, 2006 @07:32PM (#17331586) Homepage Journal
    That site works in Opera too, incidentally, but it's not an example of the security hole. It can only overwrite the content in the clipboard, not copy it back, so it's not a problem. Though perhaps a mild annoyance if you happen to store all your important data and private keyfiles in there.
  • by complete loony ( 663508 ) <> on Thursday December 21, 2006 @08:42PM (#17332218)
    Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.
  • Re:not quite (Score:3, Informative)

    by Binestar ( 28861 ) on Friday December 22, 2006 @11:39AM (#17337352) Homepage
    This is the default (and very useful) behavior in each of the linux install's I've ever done.

    Being able to highlight something, then middle click to paste it somewhere is huge.

    You still have a separate ctrl-c and ctrl-v functionality with a separate clipboard for your manual copy/paste, so you're not losing any functionality.

    It's a *very* useful feature, and far from useless, I keep looking for something similiar for windows but can't find anything that works for me.

"What the scientists have in their briefcases is terrifying." -- Nikita Khrushchev