Closed Bug 699688 Opened 14 years ago Closed 14 years ago

SECURITY THREAT: Firefox allows hijacking of copy function

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
7 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mozillaBugzilla, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110928134238 Steps to reproduce: Press Control+C Actual results: JavaScript event handler got called. Contents of clipboard were read and sent to a third-party IP address not even related to website being viewed. Contents of clipboard were altered. Expected results: Under ABSOLUTELY NO CIRCUMSTANCES should JavaScript code be allowed to hook onto a copy-to-clipboard event OR to alter the clipboard OR to open a socket to a third-party domain/IP like tcr.tynt.com. This is a CRITICAL SECURITY HOLE and it is happening in just about every website nowadays. Example: www.dailymail.co.uk This is such a scary thing that it might actually make me reconsider using Firefox. Imagine if the contents of the clipboard weren't altered. This could easily have gone undetected. Sensitive information like passwords, secret questions, credit card numbers, and bank account routing numbers are all subject to being stolen due to this vulnerability. Really, what developer thought of putting a copy event handler hook in JavaScript and WTF was he thinking? Copy-n-paste is a function of the OS and the contents of the clipboard and copy or paste events should NEVER be public to web servers. If a web site has a legitimate reason to alter copy-n-paste functionality they can do so without hooks into the OS clipboard. They can use a hidden field and a mouse down event on an image to do custom copy-n-paste. Many users can be harmed by this security problem, but it is already being exploited like crazy. Keeping it hidden does more harm than good. For now, all I can suggest is disabling JavaScript and adding the following lines to hosts/.hosts files: 127.0.0.1 tynt.com 127.0.0.1 tcr.tynt.com
In addition to removing this evil event handler hook, Firefox should give much greater control to the user over what JavaScript functionality can be performed. My suggestion is to let users define "zones" and put different domains in each zone. The user can then define exactly what event handlers and JavaScript functions are available for each zone, depending on how much the user trusts that zone. Standard zones may be applied by default, but the user should be able to define his own. For example, I may allow cookies to be written in one zone, moving DIV elements in another, third-party network connections in a third. Zones can be copied into a new zone and then edited. The underlying representation of zones should be a single Zones.xml file. That file should be synchronizable between Firefox installs and Firefox profiles.
Are other browsers different?
Firefox does not provide access to the clipboard to web pages, but the Flash plugin does. IE does allow JavaScript access to the clipboard and I think there's an effort somewhere to allow Firefox to do so with a user prompt and proper security, but on any site you see accessing the clipboard they're doing so via Flash. There might be something more to your case, such as JS being used to catch something on its webpage, which is of course possible. A page can see what your selection is on the same page and could also hook into checking for copy keyboard shortcuts, but there's nothing unexpected about a page having access to itself or its text boxes. Also, you don't have any steps to reproduce listed above to investigate with. Closing as invalid as it is well known that Flash does less than stellar things here. I suggest using the Flashblock extension, and work is ongoing to add the same functionality built into Firefox. If you can find actual steps to reproduce something wrong in Firefox itself please post a new bug report (and please without the rant against the security issues here which were long ago stated when Mozilla first rejected adding IE style clipboard access).
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Negative. I can reproduce this error even with flash disabled. I didn't know you needed more details steps than "press Control+C" to know how to replicate copy-n-paste, but ok then: 1. Open your hosts file and make sure that there is no entry to redirect tcr.tynt.com to localhost. Save your .hosts file if you have to change it. 2. Start Firefox 7. (I can add steps to do this if necessary.) 3. Make sure that flash is disabled. Use either Firefox Add-On FlashBlock 1.5.15.1 or QuickJava 1.7.5. (If you need steps on installing/using these, then go to their plugin websites.) 4. Type the following URL in your address bar and then hit [ENTER]: http://www.dailymail.co.uk/news/article-2057948/Andy-Rooney-dies-92-Veteran-journalist-dead-month-retiring.html 5. Select the text "Andy Rooney so dreaded the day he had to end his signature '60 Minutes' commentaries" by pressing the left mouse button right before the A in Andy and moving the mouse to the right of the s in commentaries and only then releasing the mouse button. (The amount of text does have to be sufficiently large to trigger the malware, so copying just a few words won't work.) 6. Then press the control key and then the C key and then release both keys. 7. Run Notepad.exe. This can be done by clicking Start->Run and typing Notepad and hitting [ENTER]. 8. Press the control key and then the V key and then release both keys. 9. Notice that the text in Notepad is: Andy Rooney so dreaded the day he had to end his signature '60 Minutes' commentaries Read more: http://www.dailymail.co.uk/news/article-2057948/Andy-Rooney-dies-92-Veteran-journalist-dead-month-retiring.html#ixzz1crR8y9zi 10. Disable JavaScript. If your using QuickJava, you just have to click the JS button in the status bar. Otherwise, in Firefox click Tools-->Options-->Content-->Enable JavaScript. 11. Press [F5] to refresh the page. 12. Repeat steps 5 through 8. 13. Notice that the text in Notepad is: Andy Rooney so dreaded the day he had to end his signature '60 Minutes' commentaries 14. Reopen bug 699688. I have no doubt that Adobe Flash is a major security hole and that clipboard hijacking can probably also occur with that god-awful flash plugin, which is one of many reasons to install the FlashBlock add-on. However, clearly this particular bug is being caused with JavaScript and only JavaScript enabled. Therefore, it must be a separate issue from any security issue with Adobe Flash. If you really are having a difficult time reproduce this bug, I am willing to do a Skype session with screen sharing to prove that it really does happen. And yes, I may be a bit of a smart-ass, but that does mean I'm smart. And I absolutely hate malware.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(In reply to j.j. from comment #2) > Are other browsers different? Chrome 15 does behave identically to Firefox 7 even with Flash disabled via (about:plugins). I have not tested Internet Explorer, but that piece of **** browser does explicitly allow JavaScript access to the clipboard, so I image so. But let's not make Firefox like IE. I have read online that the tynt.com hijacking technique does NOT work with Opera. However, it has been a long time since I've installed that browser, so I cannot verify if Opera is immune to this problem. Under Firefox 7, I have seen this problem in both Windows XP x32 SP3 and Windows 7 x64. I have not tested other OSes. It might be Windows specific, but it's certainly worth checking out on Linux and MAC OS.
Dan, if your goal is to report an actual problem in order to get it addressed, being concise should be your goal. Being pedantic like in comment 4 does not help anyone. It took me a bit to even figure out what you're talking about, even with comment 4. (putting quotes or lines or something around the copy results would've made things readable; apparently the "Read more" is part of the copied bit) At this location: http://www.dailymail.co.uk/news/article-2057948/Andy-Rooney-dies-92-Veteran-journalist-dead-month-retiring.html Text to select and copy: ---------- Andy Rooney so dreaded the day he had to end his signature '60 Minutes' commentaries ---------- What actually ends up in the clipboard: ---------- Andy Rooney so dreaded the day he had to end his signature '60 Minutes' commentaries Read more: http://www.dailymail.co.uk/news/article-2057948/Andy-Rooney-dies-92-Veteran-journalist-dead-month-retiring.html#ixzz1csIDsUzC ---------- None of this is in any way stated in comment 0 and isn't even remotely related to your initially stated expected/actual results. Please don't be astounded that I'm not psychic... For what it's worth the above was easily reproducible for me under Linux. Simply altering what is copied off of a page might be annoying, but is far from the full blown security problem that giving real access to the clipboard without restrictions would be. Not sure how it's doing it though. My guess is adding something to the selection using window.getSelection() and related APIs. https://developer.mozilla.org/en/nsISelection As I said above, there's nothing unexpected about a page having access to itself and being able to run scripts on itself like this. Yes, if it could do it to just whatever is already in your clipboard or another page then that would be bad, but that's not this.
OS: Windows XP → All
Hardware: x86 → Other
Hardware: Other → All
> Simply altering what is copied off of a page might be annoying, but is far from the full blown security problem that giving real access to the clipboard without restrictions would be. The exploit also sends the contents of the clipboard to a server. If the text selected where something like a bank accounting number, it might get a little more interesting.
(In reply to Dan from comment #7) > The exploit also sends the contents of the clipboard to a server. If the > text selected where something like a bank accounting number, it might get a > little more interesting. If you were selecting your back account number then you'd be on your bank's website where it would already know such a thing. The particular complaint about copying doesn't even matter as the page can of course send whatever is in itself to itself without you having to do something. In other words, don't type/paste private information to a page you don't want to give it to.
Wow, if Firefox's answer to "some malware snooped a bank account or credit card number from my clipboard" is "just don't copy sensitive information" than I think Firefox needs to give back the reputation for most secure browser. Time to start using Opera. Do you really think that it is reasonable to expect the average Internet user to even know in advance of this kind of leak? And are you really so naive to assume that in the entire vast use case space of the Internet the only time a routing number will appear is in a secured socket layer connection to the bank account that manages the account? If these are your premises, then please let someone else handle this defect. The goal of a project manager should NOT be to keep the bug report number down using any means possible. The whole purpose of the bug reports is to prevent problems in the field. Good project managers absolutely hate to close bug reports as "unconfirmed" or "resolved as not important enough to fix" as these are failures. Bad project managers don't care as long as the total bug reports remains low. I've worked for both good and bad project managers. You get better software with good ones. So, if you don't care about debugging and fixing this problem, then just let someone else take up the mantle. I just made the effort to move from Firefox 2, the last great version of Firefox, to Firefox 7 simply because Firefox 2 can't handle a large portion of websites today. Don't make me regret that decision. I don't want to use Opera. And I certainly don't want to use a browser built by Google as they are already very powerful, and power corrupts. But what choice do I have but to move to Opera or Chrome if the Firefox developers do not take security seriously. And if you really did understand what a truly malevolent developer could do with this exploit, you'd **** your pants. For years I've been telling people to stop using Internet Explorer and start using Firefox instead. I've helped moved all of my family and friends move from IE to Firefox. Don't make me move them all to some other browser just because Dave doesn't think this security hole is worth fixing. This kind of problem really does kill the trust between user and browser exactly because it's the kind of problem that the user would never expect to occur.
You really like to jump to conclusions and overreact. As I said above, the webpage is getting at a selection in the webpage. There is nothing even remotely indicating that it has access to the clipboard contents, just what is selected /in the page itself/ before being then copied to it. This bug report page of course has scripts running in it, and of course has access to the text above as well as this text as I'm typing it. If I copy some private data in another tab, window, or application, then of course this tab shouldn't and won't have access to that unless I paste it in here. Sending something extra to the clipboard is not the same as taking something from it. I don't know how I can say this any more clearly. Also, why on Earth do you seem to think I'm some kind of "project manager"? I'm just a volunteer who triages bugs here in his spare time to help filter through the noise here so issues can be addressed.
This isn't an interaction directly with the clipboard, it's the page adjusting the selection before the text is copied. Working as expected, and there's clearly no security issue here. I agree that it's _annoying_, and I'd even welcome a bug (and patch!) to allow changing this. Save your rants for your blog, Bugzilla isn't a place for them. Dave Garrett's a community volunteer, and has been _more_ than painstakingly patient with you. This report is no longer useful or productive. We're done here.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → INVALID
In my opinion Firefox should take care that only the content is copied to the clipboard that was visually selected.
Just a little summary: - It is possible with CSS and/or JavaScript to hide text which gets copied to the clipboard unexpectedly for a user. * As this text can contain newlines and the site was some sort of tutorial the user could paste the content to a terminal which will immediately execute all commands of the attacker. * The "Open link..." feature of the Firefox context menu would forward the user to an unexpected site. So Firefox favors phishing here until this is fixed. If I'm wrong with something feel free to correct me.
You need to log in before you can comment on or make changes to this bug.