Poster | Thread |
Stephen_Robinson
|  |
Re: So websites can read my clipboard? Posted on 19-Nov-2005 21:45:29
| | [ #21 ] |
|
|
 |
Super Member  |
Joined: 29-Apr-2005 Posts: 1991
From: UK | | |
|
| @wegster
It's a serious security problem with a major web Browser, heck, it's our duty to tell people about this and GET THIS GAPPING HOLE FIXED!!
And if it happens to embrasses Mircosoft, well, it's all good init?
SR
PS Aweb 3.5.07 isn't affected, now there's a suprise. _________________ Rage quited 29th May 2011 |
|
Status: Offline |
|
|
Laser
|  |
Re: So websites can read my clipboard? Posted on 19-Nov-2005 23:37:11
| | [ #22 ] |
|
|
 |
Regular Member  |
Joined: 19-Jul-2003 Posts: 333
From: Norwich, UK | | |
|
| @DrBombcrater
Quote:
Features like this are logical enough when you consider what IE's sole purpose was for most of its life - a weapon to kill Netscape. |
I'm not in the least surprised to find IE has this feature, it's simply the sheer stupidity of it.
We have ActiveX, we have the special non-sandbox Microsoft variant of a Java VM, we have email programs that will auto-open exe attachments, we have the default settings of WinXP that allow M$ to remote control your computer and, lo, we have web browsers that will tell the world all manner of information that is useless to anyone except those trying to pry their way into your computer and/or life.
Quote:
But now MS has to fix the pox-mess that is IE's code base in order to make it secure |
Sure, there are hundreds of security holes in the code through mistakes and oversights. They would be forgiveable in some ways (everyone makes mistakes) if M$ weren't a multi-billion dollar company with ten times the programming resources of anyone else. But the IE clipboard thing and all the other stuff aren't accidents, they're totally idiotic features that add no value for the user and cause the sort of fundamental gaping security holes that anyone with the slightest computing competence could see a mile off.
It's nothing to do with out-doing the competition or being under heavy hacker scrutiny. It's an excruciatingly fundamental failure to either understand or care about basic security or privacy.
|
|
Status: Offline |
|
|
olegil
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 1:14:50
| | [ #23 ] |
|
|
 |
Elite Member  |
Joined: 22-Aug-2003 Posts: 5900
From: Work | | |
|
| @Laser
Bah, only criminals need privacy. Right?  _________________ This weeks pet peeve: Using "voltage" instead of "potential", which leads to inventing new words like "amperage" instead of "current" (I, measured in A) or possible "charge" (amperehours, Ah or Coulomb, C). Sometimes I don't even know what people mean. |
|
Status: Offline |
|
|
Skunkfish
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 2:03:24
| | [ #24 ] |
|
|
 |
Regular Member  |
Joined: 9-Sep-2004 Posts: 295
From: Liverpool, UK | | |
|
| @olegil
Don't know whether its just my machine but it couldn't find anything in the clipboard with Firefox OR Internet Explorer?
Skunkfish _________________ Currently planning to upgrade my Amstrad CPC |
|
Status: Offline |
|
|
BigBentheAussie
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 2:09:13
| | [ #25 ] |
|
|
 |
Super Member  |
Joined: 28-Oct-2003 Posts: 1690
From: Melbourne, Australia | | |
|
| Quote:
var content = clipboardData.getData("Text"); |
And if I change the "Text" type to "File" do I get the file I just copy/pasted?
I shudder when I think about how many times I've pasted passwords, especially when they're computer generated passwords.
Ok. Going back to my happy place now. We have soggy weiners!!! My burger gave me food poisoning.
_________________ Leo Nigro, CTO Commodore USA, LLC Opinions expressed are my own and not those of C= USA. Commodore/AMIGA "Beautiful, High-Performance, Home Computers for Creativity and Entertainment." |
|
Status: Offline |
|
|
DrBombcrater
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 2:30:26
| | [ #26 ] |
|
|
 |
Super Member  |
Joined: 6-Feb-2004 Posts: 1382
From: UK | | |
|
| @Laser
Quote:
Sure, there are hundreds of security holes in the code through mistakes and oversights. They would be forgiveable in some ways (everyone makes mistakes) if M$ weren't a multi-billion dollar company with ten times the programming resources of anyone else. But the IE clipboard thing and all the other stuff aren't accidents, they're totally idiotic features that add no value for the user and cause the sort of fundamental gaping security holes that anyone with the slightest computing competence could see a mile off. |
I'm quite certain the reason this stupid feature is still present in IE is for compatibility. Something, somewhere must use it. And Microsoft is very enthusiastic about maintaining compatibility. Windows and IE are used are the base for some very big, very expensive custom-build IT systems. If any of these systems use that clipboard function (and given the generally miserable quality of said custom software, that's very likely) then MS may not be able to remove it without very serious repercussions.
I don't think MS totally disregard privacy concerns, it just hasn't been a top priority for them. Until recently they always put functionality and compatibility above privacy and security. That worked for a long time, but of course the world has changed now and it doesn't work any longer. It doesn't really matter if they ever manage to fix IE, we've got Mozilla, Firefox, Opera, all of them better than IE.
But the same mindset is needed to fix Windows, and that does matter. Windows is going to be a fact of life for the computer industry for at least another decade, so anyone who can't get by with a niche OS (and by defenition, few people can) is going to have to live with whatever MS can produce._________________ Who do you serve, and who do you trust? - Galen |
|
Status: Offline |
|
|
nicomen
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 10:46:03
| | [ #27 ] |
|
|
 |
Cult Member  |
Joined: 5-Nov-2003 Posts: 539
From: Trondheim, Norway | | |
|
| @all
Lol, is it for MSIE only, then who cares?
It's not like enlighted Amiga users us MSIE to try to surf the net?
In that case, I urge you to switch to a browser that is safe, fast and let's you surf Internet taking advantage of more its modern features (Opera, Firefox, Mozilla, Safari)
_________________ Nicolas Mendoza |
|
Status: Offline |
|
|
Anonymous
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 10:48:49
| | [ # ] |
|
| @olegil
OK I use MS on my high end PC for banking etc. What does this really mean? is all of our info going to clipboard and can then be read? Even past firewall etc?
I know this is not an MS site but you have brought up a very worrying problem?
cheers ace |
|
|
|
|
olegil
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 10:52:48
| | [ #29 ] |
|
|
 |
Elite Member  |
Joined: 22-Aug-2003 Posts: 5900
From: Work | | |
|
| @acefnq
All your clipboard are belong to us, yes. If you must use IE, don't EVER use the clipboard for anything that can be considered even REMOTELY sensitive. _________________ This weeks pet peeve: Using "voltage" instead of "potential", which leads to inventing new words like "amperage" instead of "current" (I, measured in A) or possible "charge" (amperehours, Ah or Coulomb, C). Sometimes I don't even know what people mean. |
|
Status: Offline |
|
|
lbking99
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 11:18:07
| | [ #30 ] |
|
|
 |
Member  |
Joined: 20-Apr-2004 Posts: 11
From: Unknown | | |
|
| Can be fixed easily.
1. In Internet Explorer, go to Tools -> Internet Options -> Security 2. Click on Custom Level 3. In the security settings, click to Disable the “Allow Paste Operations via Script.” That will keep your clipboard contents private. |
|
Status: Offline |
|
|
Laser
|  |
Re: So websites can read my clipboard? Posted on 20-Nov-2005 11:30:03
| | [ #31 ] |
|
|
 |
Regular Member  |
Joined: 19-Jul-2003 Posts: 333
From: Norwich, UK | | |
|
| @DrBombcrater
Quote:
I'm quite certain the reason this stupid feature is still present in IE is for compatibility. Something, somewhere must use it. [...] Windows and IE are used are the base for some very big, very expensive custom-build IT systems. |
You're probably right. I agree with what you say about people now having to deal with this stuff like it or not, but then see what was written by ibking99:
Quote:
3. In the security settings, click to Disable the Allow Paste Operations via Script. That will keep your clipboard contents private. |
So we see again this is a "feature" that arguably has no use, yet serious repercussions, for most users. However, despite there being an option to turn it off, it is ON by default. These big corporate customers of M$ who need the compatibility could turn on the option for their application. The average Joe in the street wouldn't know what a script paste operation was if it bit them, so it should be OFF by default.
Not a clue... 
|
|
Status: Offline |
|
|
Hammer
 |  |
Re: So websites can read my clipboard? Posted on 21-Nov-2005 10:24:37
| | [ #32 ] |
|
|
 |
Elite Member  |
Joined: 9-Mar-2003 Posts: 6184
From: Australia | | |
|
| @olegil
Doesn’t quite work on MS Windows 2003 Server (NT5.2) i.e. (Security set to high by default ) and MS Windows XP X64 (NT5.2) edition.
Last edited by Hammer on 21-Nov-2005 at 10:39 AM. Last edited by Hammer on 21-Nov-2005 at 10:37 AM. Last edited by Hammer on 21-Nov-2005 at 10:29 AM.
_________________ Amiga 1200 (rev 1D1, KS 3.2, PiStorm32/RPi CM4/Emu68) Amiga 500 (rev 6A, ECS, KS 3.2, PiStorm/RPi 4B/Emu68) Ryzen 9 7950X, DDR5-6000 64 GB RAM, GeForce RTX 4080 16 GB |
|
Status: Offline |
|
|
Hammer
 |  |
Re: So websites can read my clipboard? Posted on 21-Nov-2005 10:33:56
| | [ #33 ] |
|
|
 |
Elite Member  |
Joined: 9-Mar-2003 Posts: 6184
From: Australia | | |
|
| @olegil
Already covered in http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q224993&
Last Review : December 3, 2004 Last edited by Hammer on 21-Nov-2005 at 10:36 AM.
_________________ Amiga 1200 (rev 1D1, KS 3.2, PiStorm32/RPi CM4/Emu68) Amiga 500 (rev 6A, ECS, KS 3.2, PiStorm/RPi 4B/Emu68) Ryzen 9 7950X, DDR5-6000 64 GB RAM, GeForce RTX 4080 16 GB |
|
Status: Offline |
|
|
Hammer
 |  |
Re: So websites can read my clipboard? Posted on 21-Nov-2005 10:49:11
| | [ #34 ] |
|
|
 |
Elite Member  |
Joined: 9-Mar-2003 Posts: 6184
From: Australia | | |
|
| @DrBombcrater
The clipboard function should have detected internet domain. Should be enabled within Trusted Zone and LAN by default.
_________________ Amiga 1200 (rev 1D1, KS 3.2, PiStorm32/RPi CM4/Emu68) Amiga 500 (rev 6A, ECS, KS 3.2, PiStorm/RPi 4B/Emu68) Ryzen 9 7950X, DDR5-6000 64 GB RAM, GeForce RTX 4080 16 GB |
|
Status: Offline |
|
|
olegil
|  |
Re: So websites can read my clipboard? Posted on 21-Nov-2005 11:14:14
| | [ #35 ] |
|
|
 |
Elite Member  |
Joined: 22-Aug-2003 Posts: 5900
From: Work | | |
|
| @Hammer
But who on earth goes there looking for _trouble_? I might go to support.microsoft.com if I _know_ I have a problem, looking for a _solution_. But people here at work who use IE didn't know about it, and it sure as heck got their clipboard contents.
If this had been disabled by default it would have been ok. Expect me to have a hidden input box with clipboard contents on all my future projects (auto-filled on page load). This one is too good not to use  _________________ This weeks pet peeve: Using "voltage" instead of "potential", which leads to inventing new words like "amperage" instead of "current" (I, measured in A) or possible "charge" (amperehours, Ah or Coulomb, C). Sometimes I don't even know what people mean. |
|
Status: Offline |
|
|
tomazkid
 |  |
Re: So websites can read my clipboard? Posted on 3-Dec-2006 3:29:27
| | [ #36 ] |
|
|
 |
Team Member  |
Joined: 31-Jul-2003 Posts: 11694
From: Kristianstad, Sweden | | |
|
| *BUMP* Any IE7 users here?
Can the clipboard still be read?
_________________ Site admins are people too..pooff! |
|
Status: Offline |
|
|
NomadOfNorad
|  |
Re: So websites can read my clipboard? Posted on 3-Dec-2006 5:24:27
| | [ #37 ] |
|
|
 |
Cult Member  |
Joined: 2-Jun-2003 Posts: 750
From: Jacksonville, Florida, USA, Earth, Sol system, Milky Way galaxy | | |
|
| @tomazkid
What's particularly interesting is that there's a sourceforge project, whos name escapes me at the moment, which has as its main purpose to let you store usernames and passwords for various sites, and works by placing the appropriate password into the clipboard, for x number of seconds, so that you can paste it into the appropriate field. It's also designed to auto-generate a very strong password (i,e, something like "GJHORH45&^rt+_*`HJKKmmwrZ") on demand for you to use on these sites. I've actually got this database proggy on my thumbdrive, but haven't used it in ages.
This steal-the-contents-of-your-clipboard exploit would eat that for lunch! 
Well, only if you had bookoodle browser windows open, pointed at bookoodle different websites at the time, and were logging onto one or more secure sites while also visiting a site that was using this exploit.
_________________ "I love peacenicks, they're so easy to conquer." --Ivan J Ironfist, the Dictator |
|
Status: Offline |
|
|
ikir
|  |
Re: So websites can read my clipboard? Posted on 3-Dec-2006 7:26:26
| | [ #38 ] |
|
|
 |
Elite Member  |
Joined: 18-Dec-2002 Posts: 5647
From: Italy | | |
|
| @olegil
Explorer sucks so hard.... _________________ ikir |
|
Status: Offline |
|
|
ChrisH
 |  |
Re: So websites can read my clipboard? Posted on 3-Dec-2006 8:12:48
| | [ #39 ] |
|
|
 |
Elite Member  |
Joined: 30-Jan-2005 Posts: 6679
From: Unknown | | |
|
| @tomazkid I use Firefox, but have IE7 installed for security (some software uses IE functionality, e.g. Valve's Steam platform). The official IE7 does *not* reveal my clipboard, so it seems safe(r). _________________ Author of the PortablE programming language. It is pitch black. You are likely to be eaten by a grue... |
|
Status: Offline |
|
|
Hammer
 |  |
Re: So websites can read my clipboard? Posted on 3-Dec-2006 9:28:43
| | [ #40 ] |
|
|
 |
Elite Member  |
Joined: 9-Mar-2003 Posts: 6184
From: Australia | | |
|
| Quote:
tomazkid wrote: *BUMP* Any IE7 users here?
Can the clipboard still be read?
|
Nothing with IE 7.0.5730.11 (from MS WIndows Update)._________________ Amiga 1200 (rev 1D1, KS 3.2, PiStorm32/RPi CM4/Emu68) Amiga 500 (rev 6A, ECS, KS 3.2, PiStorm/RPi 4B/Emu68) Ryzen 9 7950X, DDR5-6000 64 GB RAM, GeForce RTX 4080 16 GB |
|
Status: Offline |
|
|