Desultory Thoughts

You might be surprised to know what kind of information people know about your computer when you visit their website. I have several different stat programs that record information about the visitors who come to my website, as most people do. If you’re curious to find out what people can find out about your computer just by visiting a website, check out this interesting site called Project IP [projectip.com].

The most revealing thing (especially if you’re using Internet Explorer) is at the very bottom of the page on Project IP. It’s the last item you copied onto your clipboard and the script that was used to find this information out is turned on in IE by default. I was surprised to find this out and I immediatley set this option to prompt me if I ever run into it again. I don’t keep track of what was last copied into my clipboard, but I know that it’s nobodys business.

The instructions to disable or prompt for permission to run the script is outlined on Project IP as follows:

Only works in Internet Explorer on the Windows platform. It reportedly works with varied success when IE is running in an emulator such as VMWare on another OS. If you have to use Windows, at least dump IE and use Firefox.

Rouge Evil websites can use this to steal potentially sensitive data from your Windows clipboard. I have done this in Javascript within the browser and the contents of your clipboard is not sent to this server. If someone wanted to snoop they would do what I have done, except the text area where it’s displayed would be invisible (using CSS) and they would use an XMLHttpRequest object to send it back to the webserver.

Fix: Go to Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script and set it to Disabled or Prompt.