The Ethical Hacker Network

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4165

Editor-In-Chief

projectip.com

« on: September 07, 2006, 03:43:07 PM »

There are plenty of sites out there that show you what it knows about you by simply browsing to that site. But did you also know that it can pick up the contents of your clipboard? Just click on the link below to find out:

http://projectip.com/

From the site describing what can be captured:

Quote

The last text item you copied onto your clipboard! Only works in Internet Explorer on the Windows platform. It reportedly works with varied success when IE is running in an emulator such as VMWare on another OS. If you have to use Windows, at least dump IE and use Firefox.

Rogue, evil websites can use this to steal potentially sensitive data from your Windows clipboard. I have done this in Javascript within the browser and the contents of your clipboard is not sent to this server. If someone wanted to snoop they would do what I have done, except the text area where it's displayed would be invisible (using CSS display:none;) and they would use an XMLHttpRequest object to send it back to the webserver, all without your knowledge.

Fix: Go to Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script and set it to Disabled or Prompt.

Don't copy your password!

Just more useful stuff you can find on the net,
Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

Negrita

Sr. Member

Offline

Posts: 299

Re: projectip.com

« Reply #1 on: September 07, 2006, 05:25:32 PM »

I like using About You from the dnsstuff.com web site. It doesn't go into as much detail, nor does it show you what's on your clipboard, but it's still very informative.

I've been doing lots of experiments there using Tor, Privoxy and a Firefox user agent switcher extension - interesting results. Shocked


	Logged

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

dbrookes

Guest

Re: projectip.com

« Reply #2 on: September 08, 2006, 07:12:21 AM »

Don,

As interesting as it is that the site captures your clipboard, it is only the last entry. Even if you were to copy a password, it would be rather useless since the password could be for just about anything. There is not enough information captured about me to determine what my username is or for what that password is for. Now if a malicious forum host was to embed that code on a page displayed after a login, then yes, that password would come in handy because as most people know, people are lazy when it comes to re-using usernames and passwords.

Doug


	Logged

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: projectip.com

« Reply #3 on: October 01, 2006, 11:31:34 AM »

Clipboard Hack - How to protect yourself.

The Clipboard hack is generally done by the following Source Code:

Code:

<Script Language="JavaScript">
var content = clipboardData.getData("Text");
alert(content);
</Script>

Clipboard Hack - How to protect yourself.
To avoid Clipboard Hack Problem, do the following:

1. Go to internet options->security
2. Press custom level
3. In the security settings, select disable under Allow paste operations via script.

Now the contents of your clipboard are safe.

Regards,

Morpheus


	Logged

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

LSOChris

Guest

Re: projectip.com

« Reply #4 on: October 01, 2006, 02:43:33 PM »

sweet, always worried about someone getting my private cut/paste info...

oh wait, i am on linux and dont have to worry about the windows bug of the day...


« Last Edit: October 01, 2006, 02:45:06 PM by ChrisG »	Logged

Pages: [1] Go Up

« previous next »