Opened 6 years ago

Last modified 3 years ago

#13014 new defect

copy and paste trick could be used to deanonymise users

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


This website demonstrates a trick that could easily be used to deanonymise users by tricking them into copying malicious commands into the clipboard.

Mitigating this threat might be difficult, one way would be to display a notification containing the contents of the clipboard whenever something is copied.

Child Tickets

Change History (3)

comment:1 Changed 6 years ago by arma

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 6 years ago by cypherpunks

Since the trick relies on CSS attributes to hide the malicious text from the user, maybe one could mitigate this by ensuring that certain attributes (display/position) are ignored on selected text (the CSS -[moz-]selection selector).

comment:3 Changed 3 years ago by arma

Severity: Normal

I wonder if the browser people (e.g. Firefox or Chrome) have any answers for this issue? It is a security issue, which is what allows it to become a privacy issue.

Note: See TracTickets for help on using tickets.