Browser Clipboard Attacks/Defense ep_3

Talk Scope

1. Live example of a CSS clipboard attack
   • Can give the attacker remote code execution
2. Live example of a Javascript clipboard issue
   • Understand how invisible characters in your clipboard can invade your privacy
3. Learn how clipboard attack mitigations can be bypassed
4. Learn secure ways of interacting with our clipboard

CSS Attack Ex

• Env Setup
  • docker run -it ubuntu bash
  • apt-get update && apt-get install -y git
  • Will give you a safe terminal prompt
• https://sts.tools/clipboard-attacks-css
• Paste in Version #1 and Version #2 into the terminal
• What differences do you notice?

CSS Attack Ex (CONT.)

• Phishing
  • Attacker puts link in <div>
    • Check out this new bitcoin exchange at https://exchange.example.com
    • User can't click the link, so they copy/paste
  • Attacker places https://evil-exchange.example.com into the clipboard
• Further obfuscation
  • Could remove itself from $HOME/.bash_history
• How does the CSS Vector compare with the Javascript Vector?

Clipboard APIs: document.execCommand()

• document.execCommand()

• Cross-Browser Clipboard Access

  document.execCommand('cut');
  document.execCommand('copy');
  document.execCommand('paste');

• You can use the cut and copy commands without any special permission if you are using them in a short-lived event handler for a user action (for example, a click handler) - Mozilla
  • onclick within <body>
    • Much more invasive compared to CSS Vector

Javascript Attack Ex

• https://sts.tools/clipboard-attacks-js
• Ad networks that allow Javascript execution
  • On all bitcoin sites, copy malicious bitcoin address to clipboard
  • "How to Buy X Cryptocurrency" Article
    • Override clipboard to contain attacker controlled bitcoin address

Clipboard APIs: Clipboard Api

• Experimental technology
• Meant to give more granular permissions
• Replacing execCommand
• Additional Resources
• Chrome Dev Fiddle
  • https://sts.tools/chrome-team-fiddle

Future JS Clipboard Attacks?

• Potential future attacks as clipboard apis advance
• What if Javascript could easily copy an image to the clipboard?
  • Image Compression Bombs
    • DoS attack
  • To calculate how much memory an image will require to render, simply multiply the pixel ratio by the bit-depth –– a 50Kx50K pixel, 8-bit (RGB) image will require about 2.5GB (50,000 x 50,000 x 1 byte = 250,000,000 bytes) - https://bomb.codes/bombs
• Other Javascript considerations?
  • Clipboard Fingerprinting

Clipboard Fingerprinting

• Example: https://umpox.github.io/zero-width-detection/
• Zero-width characters
  • Invisible characters that are not usually displayed
• How does this work?
  1. Username is converted to binary
  2. Binary username is converted to zero-width characters
  3. Inserted zero-width username into the text
• More info within link above

Mitigations: Zero-width Characters

• https://github.com/chpmrc/zero-width-chrome-extension

Mitigations: Terminal Attacks

• "Paste Into Vim"
  • Can have issues
• Paste into CLI utility
  • Pasting ^Z will return to the shell
• Bracketed Paste Mode
  • When set, pasted text is delimited with control sequences so that the program can differentiate pasted text from typed-in text
  • What if the attack string contains the closing delimiter?

Mitigations: Terminal Attacks (CONT.)

• Takeaway
  • Just inspect the text outside of an execution context :)
  • Chrome address bar doesn't respect newlines
  • iterm Advanced Paste Mode

Other Vectors/Issues

• Copy Pest
  • https://www.youtube.com/watch?v=t7sUajttbDM
  • https://www.slideshare.net/x00mario/copypest
• Facebook iOS app reading information from clipboard
  • https://news.ycombinator.com/item?id=16034854

Additional Resources

• Clipboard API
  • https://w3c.github.io/clipboard-apis
  • https://developers.google.com/web/updates/2018/03/clipboardapi
  • https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API