Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability

Feb 14, 2004 11:48AM PST

published Feb 11, 2004
updated Feb 11, 2004

Vulnerable
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

A vulnerability was reported in Microsoft Internet Explorer that could permit a remote site to gain access to contents of the client user's clipboard.

This vulnerability is a variant of similar issues which could permit scripting operations to gain access to clipboard contents, such as that described in BIDs 215 and 3862. This issue employs the execCommand("Paste") method to copy clipboard contents into small (or hidden) textarea. In this manner, security checks performed by the browser are bypassed and the clipboard contents will be copied.

The impact of exploitation depends entirely on what sort of information is stored in the user's clipboard at the time of exploitation, though it is common for user's to copy various credentials into their clipboard.

Workaround:
This issue can be effectively mitigated by disabling the "Allow paste options via scripting" setting in Internet Explorer.

An additional precaution would be for web users to avoid copying sensitive information into their clipboards.

http://www.securityfocus.com/bid/9643/solution/

Discussion is locked