How Ajax makes it easier to steal information from your clipboard

Cut Copy Paste has always been an important part of our digital life. Developers, as well as regular users, can't live without it. Regular users use it routinely to copy and paste information such as passwords and credit card numbers from one form to another. Office employees use it all the time when creating documents. There's no denying our reliance on the Copy and Paste functionality of the clipboard.

As Ray Ozzie said in his blog posting

    Requires Free Membership to View

Wiring the Web, "In its simplest form, the clipboard enabled the user to simply grasp the concept of moving a copy of the information from one application to another (i.e. by value)."

When you use the Cut or Copy functions, the information is stored in the computer's memory in the clipboard. That information is later used when you paste it to another area of the same application or a different application. Although you can't see the information, it remains in the computer clipboard until you use the Copy or Cut command again, at which time the information that was previously in the clipboard is overwritten with the latest information that you just copied. Newer Microsoft Office products, including Microsoft Word, allow you to keep more than one item in the clipboard at a time. That information remains there until you clear the clipboard or you restart your computer.

App security talk
Check out Anurag's blog to read what else he has to say about application security.

How would you feel if that information were stolen out of your computer? Like it or not, it's gotten a lot easier to steal it with Ajax. Prior to Ajax, you could see the information on your clipboard by using JavaScript, but you couldn't send it to the server without raising suspicion. Internet Explorer has certain functions that let you copy whatever is on the clipboard inside your browser. So using simple JavaScript a person can capture the information, and now using Ajax he can send it to the server behind the scenes without anyone noticing.

Ajax is not an insecure method because of these approaches. The issue is that Ajax makes it seamless to communicate with the server behind the scenes and hence can be used to steal information that would otherwise be difficult to steal. Real-time keylogging is one method that is easier to do using Ajax. However, unlike keylogging, which could be done in any browser, only Internet Explorer can be used to steal clipboard data. That's because only IE provides JavaScript functions to interact with the clipboard object.

Using JavaScript's window.clipboardData.getData("Text") method, the current value on the clipboard can be retrieved. Using events such as oncopy, oncut and onbeforepaste, custom functionalities can be built to further manipulate the data on the clipboard. The demo I created captures the data on your clipboard. Then every 30 seconds it checks to see if the value on your clipboard has changed and copies it if changed. This demo works only in IE and has not been tested for IE 7. You may also download the source code for the demo. (Note: This code is intended for educational purposes and should not be used maliciously.)

More information on Ajax security
Testing for security in the age of Ajax programming

Ajax security -- A reality check 

Ajax in Action -- Chapter 7, Security and Ajax

As you can see, it's incredibly easy to capture and steal the data on your clipboard. Now Microsoft is working on Live Clipboard, which lets you copy structured data from one Web site to another or from one Web site to a PC application. Imagine if we could copy and paste credit card information from our online banking site into a shopping cart on Amazon. That would make life a lot easier for us and the hackers. Live Clipboard no doubt is the way to go, but Microsoft also needs to consider the security issues when designing this application.

About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.

Reader Feedback: Share your comments on this article

This was first published in October 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.