Why is writing to the clipboard in JS considered a security hole?

It seems there is currently no pure JavaScript method for accessing the system clipboard using most modern browsers, Internet Explorer being an exception. On numerous other Stack Overflow questions (e.g., Clipboard access using Javascript - sans Flash?) it's explained that this limitation is a deliberate security measure to protect against web sites reading passwords or other sensitive data from the clipboard.

While it seems obvious that reading from the clipboard would be a huge security risk, it's not clear to me why writing to the clipboard would be. What scenario, if any, are browsers protecting against by denying JS the ability to copy data to the clipboard?



Writing to the clipboard is a way for malicious web sites (or other code running within sites, such as flash-based ads) to trick users into spreading malware. This happened a few years ago with flash-based ads that copied a malware URL onto the clipboard, in hopes that users would paste it when they intended to paste something else, thus polluting things like facebook posts, forums, and e-mail. Instead of a link to a photo of Aunt Tilly's cat, you'd paste a link to some drive-by malware. Typically these were the "you've been infected with a virus, pay us $50 for the removal software" fake antivirus scams. I did some research on it, as a lot of my ClipMate customers were asking why these nasty URLs were suddenly appearing in ClipMate. While researching, I was attacked by flash-based ads on MSNBC and DIGG. The clipboard has been subsequently locked down in Flash 10. You can read more about my saga here: http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous

I expect that the JavaScript restriction is to prevent similar things from happening.


What if the user doesn't want his or her clipboard overwritten?


If the user expects that their clipboard contains one thing, but covertly it's been replaced by another thing, even that's a potential security problem, not just an annoyance.

Although an unlikely attack vector, it's not unreasonable to think something could be dreamed up that involves social engineering: convince the user to paste covertly altered information into a password field on a target resource. That resource would then be secured by a password known to the attacker.


Aside from abovementioned vulnerability issues there's at least one scenario where imporper implemetation of javascript clipboard API can raise some security concerns.

Nowadays we have new APIs for establishing connection between separate windows without invoking server-side, like postMessage, MessageChannel or, say, BroadcastChannel recently introduced to Firefox. These APIs has different level of browser support but all of them are considering cross-origin issues. That is, it should be impossible to recieve a message from a window on a different host unless this window actually explicitely allows it.

This doesn't hold with clipboard API. Imagine that some code on the page pastes code to clipboard and this clipboard is scanned by some another window. This is some very strange and highly hypotetical scenario depending on some quite strange and exotic assumptions, but it worth to mention it.


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.