Those of us who spend lots of time typing at a keyboard probably love the dynamic duo of CTRL-C and CTRL-V on Windows. Why type in some repeated content, password, WEP key, or other string of information when you can quickly copy and paste it from a magic buffer (I had a teacher who once said, "Ah, cut and paste -- the two most powerful tools in language").
There is only one problem, Web surfers: this buffer is exposable for all Internet Explorer users using IE 6 or lower, a gaping security and privacy hole! See
http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp for more...
If you leave something lying around on your clipboard, a "bad guy" can read the data and then use Ajax or something even as simple as an invisible <iframe> post or image request to send the leftover data. Now, granted, there might be junk on your clipboard, but there just might be treasure as well. Let's see what you have on your clipboard right now, shall we?:
Did you have anything on your clipboard? Hmmm. Now, let's really test the clipboard security issue in action with a demo. First, visit this page:
http://www.port80software.com/200ok/examples/secret.html
On this page, copy some text to your clipboard either with the menu (Edit, Copy) or using CTRL-C. Now, follow the link in that page, which will take you to another page...
Yikes! Notice that this page will show you what was on your clipboard!!!
Also, note that the clipboard object doesn't seem to follow JavaScript's same origin security policy or really care what domain the content was copied from. The demo clearly shows that you copy on the port80software.com domain and view on the w3compiler.com domain. Double yikes!
So, the moral of this blog post is: be careful what you Copy-Paste, you never know who might be reading it!
Browse on,
Port80