Popular Windows site NTFS highlighted the exploit, which has been known about for some time, but which is still not widely known amongst users. "I often copy and paste passwords," said one ZDNet UK reader on finding out about it.
As the number of passwords that people have to keep track of increases, many resort to quick and easy methods of remembering and entering them, and cutting and pasting from a document is not uncommon. A recent survey found that the average IT user now has 21 passwords, with some heavy users having to keep track of as many as 70. Forty-nine percent write their passwords down, or store them in a file on their PC.
A Web page with a simple piece of code can use the Internet Explorer exploit to monitor the contents of the clipboard, and send them to a remote server-side script for processing. The remote script is then able save the clipboard text in a database, or email it to an arbitrary address.
"The biggest threat is if you copy your Internet banking security code or password to your clipboard, then go surfing," said NTFS. "You may even copy your credit card number when buying online, so it is easier to fill in the details, (and then) you may then go to a site that harvests your clipboard information."
The SecurityFocus Web site points to an older example, which creates a popup window that hides out of view with an innocent-looking taskbar entry. This window, which could monitor every piece of text copied into the clipboard, respawns itself when a user tries to close it.
Users can protect themselves from the exploit by clicking on Tools in the Internet Explorer toolbar, then selecting Internet Options / Security / Custom Level, scrolling to Scripting and disabling "Allow past operations via script".
This latest warning comes hot on the heels of several new IE security bugs, and as Microsoft's browser continues to increase in poularity, now commanding more than 52 percent of the market.
Microsoft was not immediately available for comment.
ZDNet UK's Matt Loney reported from London.