Webkit clipboard security hole

While on a search for accessing the System clipboard via JavaScript, it seems I discovered a security hole in Webkit.
Network Security
Usually system clipboard access is restricted in clipboard events like oncopy and onpaste. However I found that you can set the system clipboard in any context (e.g. a timer event).

This can be achieved by adding an IFrame containing a text input element into the document, and turning its design-mode / content-editable on. The execCommand will then become available via the added IFrame document. So to copy text to the system clipboard, you set the text input’s value (in the IFrame) to the text to be copied, then you select and focus the text input control, and finally issue a execCommand(“copy”) on the IFrame.

Click here for a demo, this has an example with malicious intent: where it hijacks the system clipboard by constantly setting its content to a malicious URL (note it does not harm your computer and it ends when you close the page). Extra efforts can be made to avoid scrolling issues when focusing/selection the text input by using absolute floats. The example also is triggered via a mouse click – a malicious script would probably start the copying as soon as it’s loaded.

I’m not sure if the developers of Webkit would consider this a security hole or not. I have tested it on Safari 3 (Windows and Mac) and Chrome 2 (in which it works). I have reported it to them.

Advertisements

2 thoughts on “Webkit clipboard security hole

  1. Pingback: asp.net, c#,javascript

  2. Pingback: Pr3fix's World

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s