Information Assurance

Daniel Castro


front | classes | research | personal | contact
zx dds

Information Assurance

Bugtraq Analysis

Microsoft Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability

back to bugtraq analyses page

As stated on Bugtraq "A vulnerability was reported in Microsoft Internet Explorer that could permit a remote site to gain access to contents of the client user's clipboard.

This vulnerability is a variant of similar issues which could permit scripting operations to gain access to clipboard contents, such as that described in BIDs 215 and 3862. This issue employs the execCommand("Paste") method to copy clipboard contents into small (or hidden) textarea. In this manner, security checks performed by the browser are bypassed and the clipboard contents will be copied.

The impact of exploitation depends entirely on what sort of information is stored in the user's clipboard at the time of exploitation, though it is common for user's to copy various credentials into their clipboard."

An example of the exploit is provided below: (from http://www.infinitybit.com/comsec/clippy.html)

This page uses the following code:

<form name="myform" id="myform">
<textarea name="clipboard" id="clipboard"></textarea>
</form>
<script>
var copyNum=myform.clipboard.createTextRange();
copyNum.execCommand("Paste");
copyNum.collapse(false);
</script>

Note that the textarea tag could easily be replaced with a hidden field, such as:

<input name="clipboard" type="hidden" value="">

The form could also be set to submit/post automatically without any user interaction.

What could have prevented it:

The cause of the problem is bad program design. At the minimum, this security option should be disabled or require user permission as the default setting.  Since this type of exploit has occurred in the past with Internet Explorer, this vulnerability should be specifically guarded against during software development.

What can be done to work around it:

This issue can be effectively mitigated by disabling the "Allow paste options via scripting" setting in Internet Explorer.

When you request a prompt for this setting, you will clearly know when a webpage is trying to paste your clipboard contents.

An additional precaution would be for web users to avoid copying sensitive information into their clipboards.

What can be done to prevent it from occurring in the future:

A better design analysis of the software would have discovered the security vulnerability since it has happened in the past.  The defaults for this feature should have been restricted for security.  Since Internet Explorer is part of the OS (according to Microsoft), it seems possible for them to perhaps implement a "secure" clipboard for copying sensitive data that would not be available to Internet Explorer, or perhaps you could only use once (i.e. - after the first paste, it is deleted).