Open Bug 1680892 Opened 5 years ago Updated 1 year ago

Clipboard content stealing by tricking the user into pressing Ctrl + V on a hidden input

Categories

(Firefox :: Security, defect, P5)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: levitnudi, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Simple HTML + JavaScript code showing UI spoofing
1.22 KB, text/html
Details

Attached code will demonstrate how clipboard data can be sniffed by misleading users to press a combination of keys. Any website can provide keyboard shortcuts for user convenience. To take a real life example, imagine a web gaming site that asks users to press a combination of keys to get certain things done, e.g (CTRL + V + Enter) to reload a weapon or a cheat sheet. It's not easy for a common web user or game enthusiast to suspect what could be going on. In the following example, I will demonstrate how an attacker can take advantage to steal sensitive user information such as emails, passwords and more by allowing unsuspecting users to paste these content into an invisible html input. For demo purposes, your pasted content will be displayed in a div element.

In this demo, the input field is brought to focus every 1 second using a timer to make sure the content is pasted in the right place for the attacker to sniff.

SUGGESTED PATCH IDEAS
The browser could listen to paste shortcuts or actions and prompt user to seek consent, thereby informing them of a pending paste intent.

Flags: sec-bounty?
Component: Other → Untriaged
Product: Websites → Firefox
Component: Untriaged → Security

Phew I mean this feels really hard to prevent, you're right in that this is a plausible attack but pasting things into documents is also quite a sensible thing to do for the user and I don't imagine that a new disturbing prompt would go over well (and potentially have a harmful "warning blindness" effect instead).

In any case I don't think this idea is so novel or difficult to come by that we need to keep this bug hidden. This type of issue probably benefits from a public discussion about mitigating in a web compatible way.

Dan, do you agree that this doesn't need to stay hidden? Are you aware of a dupe for this?

Type: task → defect
Flags: needinfo?(dveditz)

Greg can you please remove the websites security group for this bug so that it's only firefox-core-security? :)

Thanks!

Group: firefox-core-security
Flags: needinfo?(gguthe)

You're right Johann, though I think there are different approaches that can be looked into. For example, enforcing one time paste permission for each website to use paste shortcuts, and maybe on desktops /PCs only. For manual paste, this may not apply because the user can only do that consciously. This loophole, as hard as it seems to solve still leaks user data to the attacker, against GDRP. Or probably the safest way is by notifying the user that they are about to paste some "ABC" content and the implication, ask them if they agree and give an option if they would want to see the popup again on that website. In that case, users will have knowingly consented to share data with those websites. This attack is not any different from Autofill requesting one piece of information e.g First name and secretly collecting other sensitive information such as emails, passwords, addresses, phone numbers using hidden fields on the same page.

Group: websites-security
Flags: needinfo?(gguthe)

(In reply to Johann Hofmann [:johannh] from comment #1)

In any case I don't think this idea is so novel or difficult to come by that we need to keep this bug hidden. This type of issue probably benefits from a public discussion about mitigating in a web compatible way.

Dan, do you agree that this doesn't need to stay hidden? Are you aware of a dupe for this?

Not a dupe of the PoC (which is essentially "social engineering"), but bug 363132 is similarly an attempt to harvest the user's clipboard leading to a long discussion about various clipboard ills. Maybe that bug evolved to a generic enough state that it IS a dupe? If so add a comment mentioning attachment 9191469 [details] as an additional POC.

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
See Also: → 363132

Thanks for sharing, only seeing this bug 363132 for the first time. I've looked at the discussions on the other side, seems to have been very long ago. I believe the solution can be as simple as notifying the user of what they are about to paste. Cut or copy shortcut is not an issue in this case, paste shortcut is because one is simply sharing their data.

I guess we can leave it open as a P5 (to make it clear that we don't see a viable path forward at the moment but are happy to accept suggestions). I'll update the bug title to clarify that this isn't "sniffing" but social engineering, as Dan says.

Severity: -- → S3
Priority: -- → P5
Summary: Clipboard Content Sniffing → Clipboard content stealing by tricking the user into pressing Ctrl + V on a hidden input
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: