Closed Bug 877233 Opened 12 years ago Closed 12 years ago

a middle button click sends the clipboard content to the network without user's confirmation

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Version:
SeaMonkey 2.17 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 366945

People

(Reporter: mikulas, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 SeaMonkey/2.17.1 (Beta/Release) Build ID: 20130410210144 Steps to reproduce: Users typically use the middle mouse button to open a link in a new tab. However, if the user clicks with the middle button on something that is not a link, seamonkey tries to interpret the clipboard as an URL and go to that URL. Seamonkey sends the clipboard content (which may contain security sensitive information) in a clear text to the dns server. For example: put asdfasdf to the cliboard. Click anywhere on any page with a middle button. Observe the traffic with tcpdump. Actual results: You see that the clipboard content "asdfasdf" is sent in a clear text over the network, so anyone on the same network can see it. 18:28:19.696118 IP client.33411 > server.domain: 50316+ A? asdfasdf. (26) 18:28:19.696126 IP client.33411 > server.domain: 54575+ AAAA? asdfasdf. (26) 18:28:19.696682 IP server.domain > client.33411: 50316 NXDomain 0/1/0 (101) 18:28:19.696892 IP server.domain > client.33411: 54575 NXDomain 0/1/0 (101) Expected results: The clipboard content shouldn't be sent over the network. Note that this behavior can cause security problems: For example: the user tries to log in to a secure site, he types his username, opens a local file with passwords, copies the password to the clipboard, then he tries to paste the clipboard with middle click into the login form (on Xwindows, the clipboard is normally pasted with middle click). If the user by mistake clicks out of the form field, seamonkey sends the password in clear text to the network. This behavior can be even abused by malicious network operator - the network operator can modify any content received over insecure http connection. Consequently, he can modify html pages so that hyperlinks look like hyperlinks but aren't hyperlinks. If the user clicks with the middle mouse button on some text he believes is a hyperlink, seamonkey sends the clipboard content over the network where it can be intercepted. I know this behavior can be disabled with middlemouse.contentLoadURL but it should be disabled by default because it has security implications and many users are not aware of the danger.
> middlemouse.contentLoadURL Disabled by default in Windows. Enabled by default in Linux (AFAIK). FF is the same way in Windows. Wouldn't know about FF & Linux? But if it too is defaulted 'true' (on) there, then would think this to be a FF issue. Probably should DUP here: Bug 366945 - middle-clicking on a page starts a load based on clipboard contents (on unix hosts)
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.