InformAction Forums

Similar to clickjacking, it would be useful if NoScript Alerted you against WYSINWYC (What you see is not what you copy) attacks. Taking this recent example which contain suspicious span tags:
http://thejh.net/misc/website-terminal-copy-paste

I also tried "Copy as Plain Text" FireFox addon to no avail. As of yet ther appears to be no solution to mitigating this type of attack without copying and pasting everything into a text editor first.

Wow. Potentially nasty. It would have to be much more limited on Windows, though, right?

I'd say this is in the same category as clickjacking and cursorjacking, probably worth doing.

Thrawn wrote:It would have to be much more limited on Windows, though, right?

Why that?

Afaik, Windows shell is much less powerful. You wouldn't normally be able to curl and execute a script, for example. But maybe I'm wrong.

Bump

Any plans to implement protection against this attack in NoScript?

WONTFIX on the Mozilla end.

Bug 504748 - Web sites can make Ctrl+C copy something other than what it looks like you are copying

Bump (x3)

I've got no idea on how ensuring that the textual selection only contains visible elements, given the insane amount of ways you've got to conceal stuff on a web page (beside display: none, you've got opacity, font size, color combos, absolute positioning, 3d transforms, z-index... shall I go on?).
So, I lean toward WONTFIX here as well.
Only thing you may easily implement, if concerned, would be a surrogate or userscript to intercept the copy event and give user a confirmation prompt, but looks like a huge pain in the ass for little gain: if really concerned, you could just look a bit more carefully at whatever you paste out of a browser.

OK thanks for the response Giorgio. Suppose I'll try to do something like that in a separate addon then, when I get the chance.

I don't suppose a similar approach to Clearclick would be feasible? Something that would compare the appearance of the selected area to the appearance of the selected text in isolation?

Thrawn wrote:I don't suppose a similar approach to Clearclick would be feasible? Something that would compare the appearance of the selected area to the appearance of the selected text in isolation?

"In isolation" from what? ClearClick isolates an embedded document or plugin from its cross-origin embedder, but in this case we've got a single document.

Giorgio Maone wrote:"In isolation" from what?

I think Thrawn means "compare the appearance of the selection in the page to the appearance of the selection as it would appear if copied and pasted into a blank page and all CSS stripped"

barbaz wrote:

Giorgio Maone wrote:"In isolation" from what?

I think Thrawn means "compare the appearance of the selection in the page to the appearance of the selection as it would appear if copied and pasted into a blank page and all CSS stripped"

It could never work IMHO.
If you remove all the CSS, you're almost sure to fire a false positive (what about font size, container size, colors and so on?)
If you start blacklisting CSS attributes (e.g. opacity) you're entering an arms race you cannot possibly win (what would you do with very similar background and foreground colors, for instance? Or how do you evaluate the visual effect of a complex transform/filter?)

Fair enough. I've taken to pasting things into a text editor before a shell.