On a dull and wet day in May, I sat down with a Hot Chocolate and proceeded to read a recently purchased book entitled “How to Break Web Software“. Having performed some software testing in the past, a lot of the information was old news to me - except one worrying fact:There are a few limitations to this hack:
- It does not appear to work in Mozilla Firefox, although does work in Internet Explorer. (Another reason to use Firefox)
- Only text can be accessed on the clipboard, I was unable to collect documents from my computer.
If you’re wondering why this exploit would be an issue, think how many times you have Copy-Pasted sensitive information on your computer and then carried on surfing the web. Remember - data stays on the clipboard until you either Cut/Copy another piece of data or shut down your PC. Even if you copy a credit card number, password or email address from other applications such as Notepad or from an email in Outlook, visiting a website with this exploit afterwards would allow the hacker to retrieve your data.
I have made my example code available here in case you’re interested in seeing it work. The example page will NOT record your information in any way, it will only show you what the script finds in your clipboard. I’d advise highlighting some text on this blog page and copying it before clicking the link, this will mean that you can verify the data displayed is correct and that your privacy is always kept.
So how do you prevent people from taking advantage of this code? I would recommend either copying some arbitrary text on a web page after Copy-Pasting sensitive data or using a software application such as Roboform which will securely store and manage your sensitive data.