In association with heise online

Internet Explorer - Demo: scripts can read out clipboard

Scripts should not be able to access the content of the clipboard - at least, not unless the content is part of Internet Explorer. The standard settings since IE 5, however, allow the clipboard to be read out even if it contains content from a confidential document, for instance.

To demonstrate this, just copy some text from an application (such as Notepad or WordPad) into the clipboard ([Ctrl]+c) and click on this button:

This demo only works with JavaScript.

If the tests work, an alert box will appear containing the text from the clipboard. The script could have just as easily sent this text to another server. If no message appears, the test did not work.

Remedy: in the security settings for IE, switch access to the clipboard off or at least activate the security query.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit