===================================== IE CLIPBOARD STEALING VULNERABILITY A security bulletin by Tom Gilder 12th January 2002 ===================================== More information available at http://tom.vpwsys.co.uk/clipboard/ Numbers indicate a link, see bottom of message. PROBLEM Since Microsoft Internet Explorer ("IE") version 5.0, there has been a way to read and set the users clipboard text from script, by default, and with no prompting. This can be handy for web-based applications to do so, but can be used in a malicious way to steal the clipboard contents. EXPLOIT It is easily possible to monitor the contents of the clipboard, and send it to a remote server-side script for processing. The remote script could then save the clipboard text in a database, or e-mail it to the evil overlord script creator. By itself this doesn't cause much harm, but users can often copy sensitive information to the clipboard - e-mails, addresses, passwords, pictures - just about anything, which could then fall into the wrong hands. The problem lies in the clipboardData object[1], and the getData method[2]. By simply using a setInterval[3], a script can check for a change in the contents of the clipboard, and forward it either using a hidden form, or the XMLHTTP[4] ActiveX object. You can view a sample exploit on my site at http://tom.vpwsys.co.uk/clipboard/exploit.html (IE5.0+, with default security rules). This does no harm to your computer, and does not send any information to me. More information about Data Transfer can be found in the MSDN article, About DHTML Data Transfer[5]. In the most evil of situations, this could be used for an almost unclosable clipboard monitor (see the 2nd example[6]). It could be launched from a HTML e-mail within Outlook or Outlook Express (if the security zone is set to "internet", and the internet zone settings are set to default - basically the default settings of pre-OE6), and maybe be used in conjunction with an e-mail worm to send itself on. USER SOLUTION Microsoft in their great wisdom put in some a setting for script clipboard access. You can edit this via Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script (phew!). You can set this to Enable (the default for the internet zone), Disable (default for restricted sites) or Prompt. Personally I recommend you set it to prompt - scripts can still have clipboard access, but only when you say so. VENDOR SOLUTION I suggest MS make the Internet Zone default setting to prompt, and improve the prompt dialog to show the clipboard contents (if it is textual) to the user. They could also add a "always allow this site to access the clipboard" checkbox. Microsoft will probably say something like "it's up to the user to set their security settings as they see fit". However I believe the majority of IE users will never change anything in their security settings. They are simply too complex, and buried in the options dialog. VENDOR STATUS Microsoft are fully aware of this issue. They invented the feature. They decided to setup the default security rules as they are. And they should be larted for doing so. This bulletin was sent to the Bugtraq mailing list on 12 January 2002. Security bulletin and exploit code Copyright © Tom Gilder 2002. More information and a HTML version of this bulletin is available at http://tom.vpwsys.co.uk/clipboard/ Handy links: [1] clipboardData object - http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp [2] getData method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/getdata.asp [3] setInterval method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setinterval.asp [4] XMLHTTP object - http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xml_obj_ixmlhttprequest_8bp0.asp [5] About DHTML Data Transfer - http://msdn.microsoft.com/workshop/author/datatransfer/overview.asp [6] Exploit examples - http://tom.vpwsys.co.uk/clipboard/exploit.html