Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives. Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.
[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:
Visit a malicious site.
Copy something to the clipboard which allows the site to put in a dangerous payload.
Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
Paste the clipboard into the editor.
The issue is that the editors accept HTML data and this allows the clipboard to inject JavaScript. If you’ve never worked with the clipboard at the API level, it might surprise you to learn that the clipboard usually has more than one item in it at a time. For example, the clipboard could have some plain text, some HTML, and a special proprietary format all at one time. Presumably, though, all of those items represent the same information.
Browsers are aware of this problem and attempt to clean text they put on the clipboard. [Michal] put together the “Copy and Paste Playground” to allow exploration and demonstrate what the browsers will and won’t accept.
The rest of the post covers fixed bugs in several major browsers and editor systems, including GMail and Google Docs. There is also some discussion of a few systems that remain nameless since the bugs have not yet been fixed.
[Michal] ..
Support the originator by clicking the read the rest link below.
