• Kethal@lemmy.world
    link
    fedilink
    English
    arrow-up
    200
    ·
    edit-2
    2 months ago

    It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.

    @SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.

    • SkaveRat@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      177
      ·
      2 months ago

      not when there was a user intent like clicking a button.

      For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard

      • MeatsOfRage@lemmy.world
        link
        fedilink
        English
        arrow-up
        94
        ·
        edit-2
        2 months ago

        Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          17
          ·
          edit-2
          2 months ago

          It doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).

          It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That’s usually a button press or keypress.

      • lando55@lemmy.world
        link
        fedilink
        English
        arrow-up
        22
        ·
        edit-2
        2 months ago

        Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone

        Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?

        • schnurrito@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          27
          ·
          edit-2
          2 months ago

          There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).

          It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.

          The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.

          • MeatsOfRage@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            2 months ago

            Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”

        • madcaesar@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          2 months ago

          The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.

          The problem is people the talking the copied text and pasting it into the command prompt.

          • lando55@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.

            Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.

            • Zaemz@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.

              On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            but it can place text into the clipboard.

            Only as the result of a user interaction, for example by pressing a button.

            • T156@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?

              It’s not like there’s that much of a difference, as far as the Browser is concerned.

              • dan@upvote.au
                link
                fedilink
                English
                arrow-up
                3
                ·
                2 months ago

                would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?

                Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.

    • kent_eh
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it

      Yeah, that’s a security hole that I hadn’t been aware of.