Internet Explorer asks “Do you want to allow this webpage to access your Clipboard?”
Nov 9th, 2007 by Chris Thornton
If you visit a website and are asked if you’d like to allow the site to read your clipboard, you probably want to say NO. Unless you’re expecting the web page to be reading your clipboard, you should not allow it. It could be something sneaky, possibly gathering passwords or credit card information. You may want to use web accessibility software to gauge how accessible your website is.
This blog post describes the security setting in IE7 that warns you, and tells how you can turn it off (I don’t recommend turning it off….)
http://www.mydigitallife.info/2006/09/25/disable-allow-this-webpage-to-access-your-clipboard-pop-up-warning-message-in-ie7/
Technically, it’s pretty simple. A single line of javascript on the page can read your clipboard (unless IE is set to block it).
This article describes how the javascript trick is done:
http://www.arstdesign.com/articles/clipboardexploit.html
This blog post also describes how it’s done, and has a sample link, if you’d like to see this in action, or just to test if you’re protected or not:
http://harriyott.com/2005/01/javascript-clipboard-control.aspx
As for ClipMate (our product), the vulnerability doesn’t go any further than what’s on the clipboard (the currently selected clip). Such scripts have no capability to dig into ClipMate’s database or force it to give up other clips. You have little to worry about with the modern software such as Discord as it handles Discord Text Formatting Markdown much safer!
Update: (Dec 7, 2007) Now it looks like an e-mail trojan is exploiting this. I suspect that it can only work if you used web-based e-mail such as squirrelmail, yahoo, gmail, etc.. If you are opening your (web-based) e-mail and your browser asks permission to use the clipboard, DON’T! Here’s a link to the discussion about that:
http://www.windowsbbs.com/showthread.php?t=69461
Looks like a similar issue affecting web-based e-mail.
http://www.windowsbbs.com/showthread.php?t=69461
Your advice is excellent EXCEPT sometimes you have to permit it for legitimate, trusted sites. You may, of course, set this for the Internet, in general, but you can also set it (otherwise) for your trusted sites. Now, for extra precaution, you might well want to turn it on and off for trusted sites as you need it, but that’s up to you.
Kerry,
Yes, I kind of said that. However, such sites (ones that you DO want to allow silent access of your clipboard) are the minority. I’ve yet to see a good “white hat” example.
I am having a problem with every site I have ever created asking people if they want to allow it to view their clipboard and have no idea why. There is javascript on the sites (I use html protector to protect my hard work as I type out all my code in notepad) and I have never had this error show up on my computer using firefox browser. The protector I use disables highlighting, drag and drop, copy/paste, and other activities and I wonder if something in there is what does it. If so, that would be an example of a good reason for it… I do not want my work stolen! It also rewrites the whole page into a jumbled looking code so that it can not be copied. Anyway, if anyone has advice please shoot me an email I would appreciate it!
Admin Notes: Well, obviously you DO have an idea why! Your javascript is messing with the clipboard. No big mystery here.
[…] the regular “turn off clipboard” setting in IE7 work for this type of attack? I don’t […]
“Do you want to allow this webpage to access your Clipboard?”
if i allow this what information webpage can access?
suppose if i allow this and copy anything in another browser running at same time.
can webpage read this copied items ??
can webpage store this infomations at its server?
or just read it ?
reply as soon as possible