Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is writing to the clipboard in JS considered a security hole?

It seems there is currently no pure JavaScript method for accessing the system clipboard using most modern browsers, Internet Explorer being an exception. On numerous other Stack Overflow questions (e.g., Clipboard access using Javascript - sans Flash?) it's explained that this limitation is a deliberate security measure to protect against web sites reading passwords or other sensitive data from the clipboard.

While it seems obvious that reading from the clipboard would be a huge security risk, it's not clear to me why writing to the clipboard would be. What scenario, if any, are browsers protecting against by denying JS the ability to copy data to the clipboard?

like image 292
goodside Avatar asked Aug 14 '11 22:08

goodside


2 Answers

Writing to the clipboard is a way for malicious web sites (or other code running within sites, such as flash-based ads) to trick users into spreading malware. This happened a few years ago with flash-based ads that copied a malware URL onto the clipboard, in hopes that users would paste it when they intended to paste something else, thus polluting things like facebook posts, forums, and e-mail. Instead of a link to a photo of Aunt Tilly's cat, you'd paste a link to some drive-by malware. Typically these were the "you've been infected with a virus, pay us $50 for the removal software" fake antivirus scams. I did some research on it, as a lot of my ClipMate customers were asking why these nasty URLs were suddenly appearing in ClipMate. While researching, I was attacked by flash-based ads on MSNBC and DIGG. The clipboard has been subsequently locked down in Flash 10. You can read more about my saga here: http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous

I expect that the JavaScript restriction is to prevent similar things from happening.

like image 61
Chris Thornton Avatar answered Oct 21 '22 22:10

Chris Thornton


What if the user doesn't want his or her clipboard overwritten?

like image 43
Delan Azabani Avatar answered Oct 21 '22 22:10

Delan Azabani