with firefox on X11, any page can pastejack you anytime

[PaleLuc]

In firefox running on X11, any script from any page can freely write to
the primary selection, and that can be easily exploited to run arbitrary code
on the user's machine.

No user interaction is necessary -- any page able to run javascript can do it,
including e.g. a page from a background tab of a minimized window, an iframe
inside such a window, an error page, a sandboxed iframe, a page that has
reloaded itself via `meta http-equiv=refresh`, etc.

This applies to all the versions of mozilla/firefox and their derivatives
(seamonkey, etc) that I was able to test, including the latest nightly.

More information here:

https://seclists.org/oss-sec/2023/q4/132

[fatboy]

Interesting and concerning, hopefully this can be patched soon by the Pale Moon team.

Another example where NoScript/uMatrix is a must on today's web.

[Moonchild]

If this worries you, then set clipboard.autocopy to false

[andyprough]

Web pages are not going to "pastejack [me] anytime". I don't paste from primary selection. That's kind of old-school - a lot of the old Unix guys are still in love with their middle-mouse-button for some reason. Almost all mice these days have a scroll wheel in place of the middle mouse button, and it's awkward to press it as a mouse click. I prefer to do as much as possible by using simple and ergonomic keyboard shortcuts, and ctrl-v wins on both counts over shift-insert.

[vannilla]

It's funny because every X11 application is subject to "pastejacking", it's not just Firefox or Pale Moon. It hasn't been a major concern so far because, at most, malicious applications could merely copy/paste data, not much else.
Now that javascript is omnipresent and is used even by desktop environments, it's trivial to actually execute anything.
And of course, this will be blamed on X, despite being nothing but the transmission channel. It would be like shooting the messenger.

[mrnhmath]

It's funny because every X11 application is subject to "pastejacking", it's not just Firefox or Pale Moon. It hasn't been a major concern so far because, at most, malicious applications could merely copy/paste data, not much else.
Now that javascript is omnipresent and is used even by desktop environments, it's trivial to actually execute anything.
And of course, this will be blamed on X, despite being nothing but the transmission channel. It would be like shooting the messenger.

Such twisted logic. They claim that X is outdated with no point in evolving it and X.org is a bloated mess yet they're first to cheerlead over the Living Standard™, same with XUL and its former platform. The pattern is right in front of people's faces yet no one gives a damn.

[moonbat]

I've seen that pasting a command into the terminal on Linux Mint(such as when adding a new apt repository) immediately pops up the pasted content in a separate dialog with a warning as to whether you meant to paste it, and that one should be wary of malicious scripts.

[jobbautista9]

In Powershell the terminal will always warn you and show you the command you're about to execute if you're pasting something that has a newline in it.

It should be the terminals doing this mitigation by default, not browsers.

And of course there's the fact that PEBCAKs are going to be PEBCAKs anyway and ignore the warnings as fast as they could, as if they're running late for a bus or something.

[Kris_88]

I think scripts should not be allowed to initiate copy and paste operations. Yes, this may create some inconveniences, for example, it will not be possible to create a “copy” button on web pages, but you can always create a “select” button and let the user copy the selection if he wants, using standard system feature. Also, the right of scripts to replace selected text with some of their own data when copying to a clipboard or to prohibit copying altogether seems questionable.

[moonbat]

the right of scripts to replace selected text with some of their own data when copying to a clipboard or to prohibit copying altogether seems questionable.

My extension PermissionsPlus (link in sig) lets you prevent clipboard manipulation on a per site basis.

[Moonchild]

I think scripts should not be allowed to initiate copy and paste operations.

That would break a large number of legitimate websites. Many sites rely on providing the convenience for users to have such "copy" buttons. Clipboard manipulation is and has been for a long time part of the web standard, this isn't new, and is in use by many websites. It is simply not practical at this point to rewrite this behaviour in browsers and expect users to accept that they can no longer click and copy. Have you tried manually copying text on a mobile phone recently? It's a PITA because of the limitations of a touchscreen and big sausage "input devices" (i.e. fingers).

Also, the right of scripts to replace selected text with some of their own data when copying to a clipboard or to prohibit copying altogether seems questionable.

Once again, many legitimate websites use this. Always copying "what a user selects" without performing any data transformation on it can be just as problematic, especially if the selection wasn't accurate. Yes, I'm aware that some websites use the annoying practice of tacking on arbitrary data to what is selected and copied, but that doesn't make the ability to put into the clipboard what was intended in itself a bad thing.

And, Pale Moon still gives you full control over all this. See the following prefs to customize the behaviour to your liking:
clipboard.autocopy
clipboard.plainTextOnly
dom.event.clipboardevents.enabled

[Kris_88]

My extension PermissionsPlus (link in sig) lets you prevent clipboard manipulation on a per site basis.

And, Pale Moon still gives you full control over all this. See the following prefs to customize the behaviour to your liking:
clipboard.autocopy
clipboard.plainTextOnly
dom.event.clipboardevents.enabled

This is great!
Thank you!