Opened 4 years ago

Last modified 14 months ago

#17558 needs_information defect

Sanitize copying to clipboard

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: it@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Let's consider a simple scenario
1 user copies a text from a website
2 user pastes it into a msword document
3.1 the text has a transparent img in it, when the user pastes it into msword, msword loads the img from network, deanonimizing the user.
or
3.2 the text has a transparent swf in it, when the user copies it, the clipboard logger application understands it is a html tryes to render, in order to do it it loads MSIE engine which loads flash plugin which executes swf which collects and sends sensitive data.

TorBrowser must sanitize the info transferred to/from clipboard removing all the content available from the network and all the active content (scripts, swfs, applets, etc).

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by cypherpunks

Summary: Copying from clipboard is dangerousCopying to clipboard is dangerous

comment:2 Changed 4 years ago by cypherpunks

Priority: MediumHigh

comment:3 Changed 4 years ago by brade

For future reference: dom/base/nsCopySupport.cpp has some relevant code
The easiest approach is probably to implement the clipboard hooks in widget/nsIClipboardDragDropHooks.idl; in particular onCopyOrDrag().

comment:4 Changed 3 years ago by cypherpunks

This is a known issue. The same can occur on Linux and UNIX systems, where copying and pasting a single line of text into a terminal compromises you when the paste contains a hidden newline, followed by a malicious line of code, and another newline. Or if you paste text into an IRC client, where it may contain a newline, followed by an /exec statement with a malicious command, and a newline.

Any time a paste contains newlines or control codes, there is an implicit risk, and you may not know if the clipboard buffer contains one, because the text you see may not be all the text that is present.

See https://thejh.net/misc/website-terminal-copy-paste for example.

comment:5 Changed 2 years ago by DoctorEww

With modern browsers, tor included, javascript can be used to automatically manipulate the contents of a clipboard, so users can unknowingly/unwillingly copy information that could make them identifiable, with this still un-fixed javascript is more dangerous then ever.

comment:6 in reply to:  5 ; Changed 2 years ago by gk

Replying to DoctorEww:

With modern browsers, tor included, javascript can be used to automatically manipulate the contents of a clipboard, so users can unknowingly/unwillingly copy information that could make them identifiable, with this still un-fixed javascript is more dangerous then ever.

How should a proper fix look like?

comment:7 Changed 14 months ago by cypherpunks

Cc: it@… added
Keywords: exploit clipboard arbitrary code execution copy read paste user system fingerprint leak ip reveal location added
Summary: Copying to clipboard is dangerousCopying to clipboard is dangerous [ip leak exploit & arb. code exec]

comment:8 Changed 14 months ago by cypherpunks

Keywords: exploit clipboard arbitrary code execution copy read paste user system fingerprint leak ip reveal location removed
Summary: Copying to clipboard is dangerous [ip leak exploit & arb. code exec]Sanitize copying to clipboard
Note: See TracTickets for help on using tickets.