Internet Explorer asks “Do you want to allow this webpage to access your Clipboard?”
Nov 9th, 2007 by admin
If you visit a website and are asked if you’d like to allow the site to read your clipboard, you probably want to say NO. Unless you’re expecting the web page to be reading your clipboard, you should not allow it. It could be something sneaky, possibly gathering passwords or credit card information.
This blog post describes the security setting in IE7 that warns you, and tells how you can turn it off (I don’t recommend turning it off….)
http://www.mydigitallife.info/2006/09/25/disable-allow-this-webpage-to-access-your-clipboard-pop-up-warning-message-in-ie7/
Technically, it’s pretty simple. A single line of javascript on the page can read your clipboard (unless IE is set to block it).
This article describes how the javascript trick is done:
http://www.arstdesign.com/articles/clipboardexploit.html
This blog post also describes how it’s done, and has a sample link, if you’d like to see this in action, or just to test if you’re protected or not:
http://harriyott.com/2005/01/javascript-clipboard-control.aspx
As for ClipMate (our product), the vulnerability doesn’t go any further than what’s on the clipboard (the currently selected clip). Such scripts have no capability to dig into ClipMate’s database or force it to give up other clips.
Update: (Dec 7, 2007) Now it looks like an e-mail trojan is exploiting this. I suspect that it can only work if you used web-based e-mail such as squirrelmail, yahoo, gmail, etc.. If you are opening your (web-based) e-mail and your browser asks permission to use the clipboard, DON’T! Here’s a link to the discussion about that:
http://www.windowsbbs.com/showthread.php?t=69461
Looks like a similar issue affecting web-based e-mail.
http://www.windowsbbs.com/showthread.php?t=69461