Slashdot Mirror
Clipboard Data Theft Now Optional With IE7
An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."
I could be wrong, but I think I remember a setting in Firefox's about:config page that allows you to enable sites to access the clipboard. This may have been removed, but I think it was in there at least in FF 1.0. There is still something called clipboard.autocopy in there in FF 2.0.0.1, I don't recall if this is the same setting.
today is spelling optional day.
Comment removed based on user account deletion
quick google tells us that clipboard.autocopy is a *nix only option that automaticly copies seleced text to the clipboard.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
... before someone ignores that little "This is a Phishing site you fucking moron !" indicator & clicks "ok" for this prompt.
Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access".
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.
c onfig_Entries
signed.applets.codebase_principal_support Gives scripts using codebase principals access advanced scripting capabilities. Basically, it allows signed applets out of the sandbox because they've promised to play nice. One of the main uses of this (according to the help page) is to allow IRC applications access to your clipboard.
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:
Do you Gentoo!?
Don't know about the others, but firefox definitely does implement it, it's just off by default.
here's a site that has a valid use for the paste part of the exploit. not sure about the retrieval part... (works on firefox too) www.2prong.com
Not "fixed" (as in removed), but apparently you can turn it off in IE4 through IE6.
Change the security setting for "Allow paste operations via script" to "Prompt". Now it'll ask you every time a script interacts with the clipboard, as near as I can tell. For example, when you're pasting text into the form on Google Maps, it'll ask you if that's okay even though it's you the user requesting the paste operation. But pasting into the Post Comment form here on slashdot does not.
This has an interesting side effect on the "harmless" exploit page mentioned in the article, though. The script on that page apparently loops continuously, so every time you answer (whether yes or no) the dialog is presented again. The dialog takes precedence over other IE controls, and as near as I can tell there's no way out short of terminating the browser.
You're worried that if someone steals your laptop, they might be able to find your email address and spam you?
First of all, I said email PASSWORD, not address. Somebody could steal my laptop and read my email and send email from my account. That would require them to be able to discern the password in all the millions of bytes of swap data, but I can imagine writing a program that could scan for candidates.
If my email password happened to be equal to my main account password (as can happen due to certain policies, but thankfully not in this case), that's quite a bit more serious. It makes me wonder what else might be lurking in the swap partition. When you type a password (like say, the root password for your main file server) into an application, you're really placing all your faith in that application to dispose of that data appropriately. So yeah, I'd be worried, especially in the context of a company, where it's easy to get your hands on a laptop that doesn't belong to you.
...did not prompt me!
I think it's more acurate to say "appear convenient and powerful". There's nothing convient or powerful about data lost or computers infected with worms and trojans.
Keep in mind, this is an Ajax app, the "GUI" does not know about the internal schema that google spreadsheets uses. I'm not talking about just copying some text, when using spreadsheets you may want to copy a whole row, or a table - formulas formatting & all the works so you can paste it in excel/openoffice/gnumeric In this case you Have to give access the the javascript application so that it can construct the correct representation and place it in the clipboard.
Nature journal lied in Britannica vs Wikipedia Ask to retrac
But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.
Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This is the default (and very useful) behavior in each of the linux install's I've ever done.
Being able to highlight something, then middle click to paste it somewhere is huge.
You still have a separate ctrl-c and ctrl-v functionality with a separate clipboard for your manual copy/paste, so you're not losing any functionality.
It's a *very* useful feature, and far from useless, I keep looking for something similiar for windows but can't find anything that works for me.
Do you Gentoo!?