How Ajax makes it easier to steal information from your clipboard

With Ajax an attacker can steal information from a computer's clipboard and send it to a server without being detected.

Cut Copy Paste has always been an important part of our digital life. Developers, as well as regular users, can't live without it. Regular users use it routinely to copy and paste information such as passwords and credit card numbers from one form to another. Office employees use it all the time when creating documents. There's no denying our reliance on the Copy and Paste functionality of the clipboard.

As Ray Ozzie said in his blog posting Wiring the Web, "In its simplest form, the clipboard enabled the user to simply grasp the concept of moving a copy of the information from one application to another (i.e. by value)."

When you use the Cut or Copy functions, the information is stored in the computer's memory in the clipboard. That information is later used when you paste it to another area of the same application or a different application. Although you can't see the information, it remains in the computer clipboard until you use the Copy or Cut command again, at which time the information that was previously in the clipboard is overwritten with the latest information that you just copied. Newer Microsoft Office products, including Microsoft Word, allow you to keep more than one item in the clipboard at a time. That information remains there until you clear the clipboard or you restart your computer.

App security talk
Check out Anurag's blog to read what else he has to say about application security.

How would you feel if that information were stolen out of your computer? Like it or not, it's gotten a lot easier to steal it with Ajax. Prior to Ajax, you could see the information on your clipboard by using JavaScript, but you couldn't send it to the server without raising suspicion. Internet Explorer has certain functions that let you copy whatever is on the clipboard inside your browser. So using simple JavaScript a person can capture the information, and now using Ajax he can send it to the server behind the scenes without anyone noticing.

Ajax is not an insecure method because of these approaches. The issue is that Ajax makes it seamless to communicate with the server behind the scenes and hence can be used to steal information that would otherwise be difficult to steal. Real-time keylogging is one method that is easier to do using Ajax. However, unlike keylogging, which could be done in any browser, only Internet Explorer can be used to steal clipboard data. That's because only IE provides JavaScript functions to interact with the clipboard object.

Using JavaScript's window.clipboardData.getData("Text") method, the current value on the clipboard can be retrieved. Using events such as oncopy, oncut and onbeforepaste, custom functionalities can be built to further manipulate the data on the clipboard. The demo I created captures the data on your clipboard. Then every 30 seconds it checks to see if the value on your clipboard has changed and copies it if changed. This demo works only in IE and has not been tested for IE 7. You may also download the source code for the demo. (Note: This code is intended for educational purposes and should not be used maliciously.)

More information on Ajax security
Testing for security in the age of Ajax programming

Ajax security -- A reality check 

Ajax in Action -- Chapter 7, Security and Ajax

As you can see, it's incredibly easy to capture and steal the data on your clipboard. Now Microsoft is working on Live Clipboard, which lets you copy structured data from one Web site to another or from one Web site to a PC application. Imagine if we could copy and paste credit card information from our online banking site into a shopping cart on Amazon. That would make life a lot easier for us and the hackers. Live Clipboard no doubt is the way to go, but Microsoft also needs to consider the security issues when designing this application.

-------------------------------
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.


Reader Feedback: Share your comments on this article

This was first published in October 2006

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close