Whats on your clipboard (Serious Stuff) IE Vulnerability - GoFuckYourself.com

kirupai · 02-13-2004, 09:40 PM

Ok go to this website:

http://www.infinitybit.com/comsec/clippy.html

As you can see it will show what is currently stored on your clipboard this a serious flaw on IE and it has been for more than 3 yeras. Now how is this dengerous... well lets say you have some sensitive data on your clipboard you visit a website it loads and it mails a form with a field from your clipboard and thats all it takes.

Solution:

Users can close this hole by changing the default Internet setting. Preferably, Microsoft
should change the default option to prompt on the Internet zone.

To close this hole in ~7 clicks: Tools, Internet Options, Security, Internet Zone,
Custom Level, Scripting, Allow paste options via scripting -> Disable.

Credits: Steven Vittitoe and Blake Sterzinger

nofx · 02-13-2004, 09:42 PM

smokey is going to own gfy with this now, thanks for sharing.

kirupai · 02-13-2004, 09:46 PM

Quote:

Originally posted by nofx
smokey is going to own gfy with this now, thanks for sharing.

Yeah i was afraid someone will use it against any of us, so thats why i diceded to make it public here so people know about it and can do something to protect their selfs.

lurking · 02-13-2004, 09:47 PM

jawascript is disabled here. smokey only knows basic html tricks.

Dveron · 02-13-2004, 09:56 PM

Quote:

Originally posted by kirupai
Ok go to this website:

http://www.infinitybit.com/comsec/clippy.html

As you can see it will show what is currently stored on your clipboard this a serious flaw on IE and it has been for more than 3 yeras. Now how is this dengerous... well lets say you have some sensitive data on your clipboard you visit a website it loads and it mails a form with a field from your clipboard and thats all it takes.

Solution:

Users can close this hole by changing the default Internet setting. Preferably, Microsoft
should change the default option to prompt on the Internet zone.

To close this hole in ~7 clicks: Tools, Internet Options, Security, Internet Zone,
Custom Level, Scripting, Allow paste options via scripting -> Disable.

Credits: Steven Vittitoe and Blake Sterzinger

Useful post. Thanks

Shoehorn! · 02-13-2004, 10:14 PM

Interesting. They don't know a damn thing with my Mac though. Windows blows.

Lane · 02-13-2004, 10:25 PM

Quote:

Originally posted by lurking
jawascript is disabled here. smokey only knows basic html tricks.

how can u surf without js?

lurking · 02-13-2004, 10:29 PM

Quote:

Originally posted by Lane

how can u surf without js?

I dont. it is disabled on the board.

fuzebox · 02-13-2004, 10:31 PM

I don't have a clipboard...

goBigtime · 02-13-2004, 10:34 PM

I <3 Mozilla FireFox

gleb · 02-13-2004, 10:34 PM

wow, thats pretty fucking serious

and before i thought address bar spoofing was hardcore

kirupai · 02-13-2004, 10:47 PM

Quote:

Originally posted by gleb
wow, thats pretty fucking serious

and before i thought address bar spoofing was hardcore

Yeah adress spoofing is mainley used in phishing scams, they make it look more LEGIT which is a serious problem to.

digifan · 02-13-2004, 10:59 PM

Quote:

Originally posted by TheSmutPeddlerDOTcom
Interesting. They don't know a damn thing with my Mac though. Windows blows.

Mr.Fiction · 02-13-2004, 10:59 PM

Someone used this exploit on GFY already. Good information on how to fix it.

Smokey The Bear · 02-13-2004, 11:05 PM

Quote:

Originally posted by lurking
jawascript is disabled here. smokey only knows basic html tricks.

Your a fucking moron with no brains. This exploit has been around for the last year. Completely useless. WHy would i want your paste ?? especially when i can get most people's c:\ in here .

Also javascript is not disabled , you just dont have the ability to use it.


__________________
<a href="http://www.sucker.com"><img src="http://bestpornhost.com/gfy/jay.png" border="0"></a>

Smokey The Bear · 02-13-2004, 11:08 PM

And it isnt a flaw it is part of i.e. like it or hate it. Go to www.tinyurl.com and try it out.

lurking · 02-13-2004, 11:10 PM

Quote:

Originally posted by *Smokey The Bear*
especially when i can get most people's c:\ in here

lol. whats mine.

Smokey The Bear · 02-13-2004, 11:11 PM

Quote:

Originally posted by lurking

lol. whats mine.

Sorry i dont do requests.

__________________
<a href="http://www.sucker.com"><img src="http://bestpornhost.com/gfy/jay.png" border="0"></a>

lurking · 02-13-2004, 11:11 PM

Quote:

Originally posted by *Smokey The Bear*

Sorry i dont do requests.

chump.

Smokey The Bear · 02-13-2004, 11:14 PM

Quote:

Originally posted by lurking

chump.

No mitnick was a chump ( and a rat ) thats why he ended up in jail.

lurking · 02-14-2004, 12:36 AM

Quote:

Originally posted by *Smokey The Bear*

No mitnick was a chump ( and a rat ) thats why he ended up in jail.

whats your point? are you trying to compare yourself to him? chump.

02-13-2004, 09:40 PM	#1
kirupai Confirmed User Join Date: Aug 2003 Location: California Posts: 894	Whats on your clipboard (Serious Stuff) IE Vulnerability Ok go to this website: http://www.infinitybit.com/comsec/clippy.html As you can see it will show what is currently stored on your clipboard this a serious flaw on IE and it has been for more than 3 yeras. Now how is this dengerous... well lets say you have some sensitive data on your clipboard you visit a website it loads and it mails a form with a field from your clipboard and thats all it takes. Solution: Users can close this hole by changing the default Internet setting. Preferably, Microsoft should change the default option to prompt on the Internet zone. To close this hole in ~7 clicks: Tools, Internet Options, Security, Internet Zone, Custom Level, Scripting, Allow paste options via scripting -> Disable. Credits: Steven Vittitoe and Blake Sterzinger

02-13-2004, 09:42 PM	#2
nofx Too lazy to set a custom title Join Date: Nov 2002 Location: Virgin Mary's womb Posts: 16,826	smokey is going to own gfy with this now, thanks for sharing. __________________ Often times I wonder why There's love and hate, theres live or die. When sickness comes I must decide: When feelings go, theres suicide.

02-13-2004, 10:14 PM	#6
Shoehorn! Die With Your Boots On Join Date: Oct 2003 Location: Hawaii Posts: 22,872	Interesting. They don't know a damn thing with my Mac though. Windows blows. __________________

02-13-2004, 10:59 PM	#14
Mr.Fiction Confirmed User Join Date: Feb 2002 Location: Free Speech Land Posts: 9,484	Someone used this exploit on GFY already. Good information on how to fix it. __________________ Don't be lazy, protect free speech: ACLU \| Free Speech Coalition \| EFF \| IMPA

02-13-2004, 09:47 PM	#4
lurking Confirmed User Join Date: Jan 2004 Posts: 868	jawascript is disabled here. smokey only knows basic html tricks.

02-13-2004, 10:31 PM	#9
fuzebox making it rain Industry Role: Join Date: Oct 2003 Location: seattle Posts: 22,119	I don't have a clipboard...

02-13-2004, 10:34 PM	#10
goBigtime Confirmed User Join Date: Nov 2002 Posts: 7,761	I <3 Mozilla FireFox

02-13-2004, 10:34 PM	#11
gleb Confirmed User Join Date: Nov 2002 Location: NY Posts: 311	wow, thats pretty fucking serious and before i thought address bar spoofing was hardcore

02-13-2004, 11:08 PM	#16
Smokey The Bear So Fucking Banned Join Date: Dec 2003 Location: South Of Heaven™ Posts: 3,880	And it isnt a flaw it is part of i.e. like it or hate it. Go to www.tinyurl.com and try it out.