| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070316231425.GM953@uriel.eclipsed.net>
Date: Fri, 16 Mar 2007 19:14:25 -0400
From: gabriel rosenkoetter <gr@...ipsed.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: tinyurl.com - Local Clipboard
On Thu, Mar 15, 2007 at 12:30:48PM -0500, Shaun wrote:
> I took a quick look and it appears that they aren't trying to read the
> clipboard, they're trying to write the generated tinyurl to it for the
> folks who are too lazy to control-c it out of the page. Annoying to have
> your clipboard contents clobbered, but not really a threat.
>
> It didn't do anything in FF2.
Since I only use Windows, let alone IE, at Work (where I'm
invariably issued a Windows laptop whether I like it or not), and
I'm too lazy to dig out the work laptop at the moment, I'm not
checking this now, but I recall pretty clearly that this is a
behavior that tinyurl.com OPENLY ADVERTISES as being a "feature" of
using that site with IE under Windows (and nowhere else, because
no other browser and OS security model permits such silliness).
It's a security problem, but it's not indicative of any particular
threat on their part.
(Really, if the original poster wanted to bitch about evil intentions
at tinyurl.com, the obfuscation of affiliate links is a much better
target...)
--
gabriel rosenkoetter
gr@...ipsed.net
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists