Be careful with CTRL+C

[Imran Khan]

PROBLEM





We do copy various data by ctrl+c for pasting elsewhere. This copied data is stored in clipboard and is accessible from the net by a combination of Javascripts and ASP.







Just try this:



1) Copy any text by ctrl+c



2) Click the Link:



http://www.friendlycanadian.com/applica ... pboard.htm



3) You will see the text you copied on the Screen which was accessed by this web page.







Do not keep sensitive data (like passwords, creditcard numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information.





Solution for this problem







Everything boils down to the security knowledge a user can have. Nobody will know that this is possible.





It is only for Internet Explorer because as of today it is still one of the most used browsers. Around 95% users still use it.



Goto Internet Options, Security, Click on the Internet Icon, Click Custom Level, and Change the settings under the active scripting options to the as shown in the figure and click ok.

[lonewolf]

[ycr007]

But nobody else can get this info rite?



I mean if i run that script on my pc,it'll display the local clipboard contents...

is there a way any hacker can run that script on my pc and view the results himself?



and won't that script be blocked by resident Anti Vrii etc??

[lonewolf]

But nobody else can get this info rite?.....
is there a way any hacker can run that script on my pc and view the results himself?

Piece of cake... want me to give you a demo?

and won't that script be blocked by resident Anti Vrii etc??

Its a part of IE's unwanted extensions (aka ActiveX objects). You might as well not use IE if you want to be totally safe.

[CtrlAltDel]

You might as well not use IE if you want to be totally safe.

or just apply the proper security settings...

[ycr007]

I'm ready for a demo......let'em come!!!!



But how can you? I'm curious to know the process.....



coz I thot it will be strictly machin dependent....

Something akin to those siggies on danasoft which show users the OS,Browser,ISP & IP address etc......You had one urself rite lone?

and there's no way YOU Can see MY settings Rite?

[lonewolf]

You might as well not use IE if you want to be totally safe.

or just apply the proper security settings...

What security settings? If you disable those IE-specific features, you'll not be able to see anythong on half the websites you visit now.



ActiveX is technically an unremovable part of IE.

[ycr007]

[lonewolf]

I had this page long ago and took it off for many reasons, but since someone mentioned the idea, I revived it.



And you asked me about the logging, right? I'll do it later in the day, but will remove it as soon as you check it. I don't log any data of my visitors.

[ycr007]

Good Boy Loney



But u still haven't tld me how can YOU see MY pc's Clipboard contents

[lonewolf]

But u still haven't tld me how can YOU see MY pc's Clipboard contents

From your screenshot, its obvious you haven't done any Ctrl+C yet.



Do a Ctrl+C and refresh the page http://ie.digs.it



IE allows the clipboard contents to be accessed via the clipboardData object, that is you can write a JavaScript that runs off the client browser. This is dangerous because it allows you to view and even change what is there in the clipboard!



Firefox prevents any access of the clipboard, so its much safer.

[ycr007]

I did that Lone but did'nt post any screenshot



but what i meant to ask is that,when i visit the page,the contents will be visible to me only,Rite?

And when the site is visited on any other PC,it will show the clipboard contents of that PC,Rite?

So,Will YOU,as an author of the script,be able to see what is there on My PC's Clipboard?

[CtrlAltDel]

its not working lone...i too tried it after a Ctrl+C!

[ycr007]

its not working lone...i too tried it after a Ctrl+C!

IE of Mozilla?



It does'nt work on FF.Shows that "You're Using a Secure Browser"

[CtrlAltDel]

its not working lone...i too tried it after a Ctrl+C!

IE of Mozilla?

It does'nt work on FF.Shows that "You're Using a Secure Browser"

i am using IE...failure maybe coz the security settings block paste ops from script....yes...that must be it...

[Betty]

I got the following information a few days back on our mailing list, it seconds what CAD meant:



--------------------------

To avoid the problem, do this:

1. Goto Internet Options, Security, Click on the Internet Icon



2. Click Custom Level



3. Change the settings under the 'scripting' option --> 'Allow paste operations via script' --> disable

----------------------------

[KK]

I got the following information a few days back on our mailing list, it seconds what CAD meant:

--------------------------
To avoid the problem, do this:
1. Goto Internet Options, Security, Click on the Internet Icon

2. Click Custom Level

3. Change the settings under the 'scripting' option --> 'Allow paste operations via script' --> disable
----------------------------

Even more plausible solution,

1. uninstall IE and install firefox

2. uninstall MS OS and install linux

[CtrlAltDel]

1. uninstall IE and install firefox

not possible at work

2. uninstall MS OS and install linux

yeah right.. that can happen the day all apps that run in my PC run on linux too...

[lonewolf]

I got the following information a few days back on our mailing list, it seconds what CAD meant:

--------------------------
To avoid the problem, do this:
1. Goto Internet Options, Security, Click on the Internet Icon

2. Click Custom Level

3. Change the settings under the 'scripting' option --> 'Allow paste operations via script' --> disable
----------------------------

Sure, do that. Only, you won't be able to open websites that run extensively on JavaScript.

[ycr007]

1. uninstall IE and install firefox

not possible at work

I did that clandestinely and copped up a sysadmin yelp!!!