Nov 9th, 2007 by Chris Thornton
If you visit a website and are asked if you’d like to allow the site to read your clipboard, you probably want to say NO. Unless you’re expecting the web page to be reading your clipboard, you should not allow it. It could be something sneaky, possibly gathering passwords or credit card information.
This blog post describes the security setting in IE7 that warns you, and tells how you can turn it off (I don’t recommend turning it off….)
This blog post also describes how it’s done, and has a sample link, if you’d like to see this in action, or just to test if you’re protected or not:
As for ClipMate (our product), the vulnerability doesn’t go any further than what’s on the clipboard (the currently selected clip). Such scripts have no capability to dig into ClipMate’s database or force it to give up other clips.
Update: (Dec 7, 2007) Now it looks like an e-mail trojan is exploiting this. I suspect that it can only work if you used web-based e-mail such as squirrelmail, yahoo, gmail, etc.. If you are opening your (web-based) e-mail and your browser asks permission to use the clipboard, DON’T! Here’s a link to the discussion about that: