Clipboard Attacks
Environment Setup/Error Reporting: https://sts.tools/setup
Browser Clipboard Attacks/Defense ep_3
Talk Scope
- Live example of a CSS clipboard attack
- Can give the attacker remote code execution
- Live example of a Javascript clipboard issue
- Understand how invisible characters in your clipboard can invade your privacy
- Learn how clipboard attack mitigations can be bypassed
- Learn secure ways of interacting with our clipboard
CSS Attack Ex
- Env Setup
docker run -it ubuntu bash
apt-get update && apt-get install -y git
- Will give you a safe terminal prompt
- https://sts.tools/clipboard-attacks-css
- Paste in Version #1 and Version #2 into the terminal
- What differences do you notice?
CSS Attack Ex (CONT.)
- Phishing
- Attacker puts link in
<div>
Check out this new bitcoin exchange at https://exchange.example.com
- User can't click the link, so they copy/paste
- Attacker places
https://evil-exchange.example.com
into the clipboard
- Attacker puts link in
- Further obfuscation
- Could remove itself from
$HOME/.bash_history
- Could remove itself from
- How does the CSS Vector compare with the Javascript Vector?
Clipboard APIs: document.execCommand()
- document.execCommand()
Cross-Browser Clipboard Access
- You can use the
cut
andcopy
commands without any special permission if you are using them in a short-lived event handler for a user action (for example, a click handler) - Mozillaonclick
within<body>
- Much more invasive compared to CSS Vector
Javascript Attack Ex
- https://sts.tools/clipboard-attacks-js
- Ad networks that allow Javascript execution
- On all bitcoin sites, copy malicious bitcoin address to clipboard
- "How to Buy X Cryptocurrency" Article
- Override clipboard to contain attacker controlled bitcoin address
Clipboard APIs: Clipboard Api
- Experimental technology
- Meant to give more granular permissions
- Replacing
execCommand
- Additional Resources
- Chrome Dev Fiddle
Future JS Clipboard Attacks?
- Potential future attacks as clipboard apis advance
- What if Javascript could easily copy an image to the clipboard?
- Image Compression Bombs
- DoS attack
- To calculate how much memory an image will require to render, simply multiply the pixel ratio by the bit-depth –– a 50Kx50K pixel, 8-bit (RGB) image will require about 2.5GB (50,000 x 50,000 x 1 byte = 250,000,000 bytes) - https://bomb.codes/bombs
- Image Compression Bombs
- Other Javascript considerations?
- Clipboard Fingerprinting
Clipboard Fingerprinting
- Example: https://umpox.github.io/zero-width-detection/
- Zero-width characters
- Invisible characters that are not usually displayed
- How does this work?
- Username is converted to binary
- Binary username is converted to zero-width characters
- Inserted zero-width username into the text
- More info within link above
Mitigations: Zero-width Characters
Mitigations: Terminal Attacks
- "Paste Into Vim"
- Paste into CLI utility
- Pasting
^Z
will return to the shell
- Pasting
- Bracketed Paste Mode
- When set, pasted text is delimited with control sequences so that the program can differentiate pasted text from typed-in text
- What if the attack string contains the closing delimiter?
Mitigations: Terminal Attacks (CONT.)
- Takeaway
- Just inspect the text outside of an execution context :)
- Chrome address bar doesn't respect newlines
- iterm
Advanced Paste Mode
Other Vectors/Issues
- Copy Pest
- Facebook iOS app reading information from clipboard
0 comments