Javier
nixCraft π§With firefox on X11 (#Linux and #Unix machines), any page can pastejack you anytime https://www.openwall.com/lists/oss-security/2023/10/17/1 #security #infosec
Clove@nixCraft any application or website that doesn't explicitly hand me what I copied is vile, prove me wrong.
The Green Knight@micro_cat @nixCraft websites that strictly prohibit or circumvent browser functionality should be automatically flagged as untrustworthy and treated the same as a broken SSL cert.
I'm always shocked and disappointed when I hit ctrl+f only for some dumbass proprietary "find" form to pop up(looking at you github).
If anything, allowing JS to circumvent user input standards is a clear violation of the ADA since it breaks POUR standards as it breaks out of existing "normal" operations.
Stephen Greenham
Adam Katz@nixCraft Wow, this is damning. I know Mozilla isn't focused on Linux, but this has a very simple fix.
In the meanwhile, I'm at least somewhat protected by xfce4-terminal, which warns me before pasting anything with a line break.
David Zaslavsky@adamhotep @nixCraft @FirefoxNightly @stevetex @firefox hmm... I feel like there must be more to this story than meets the eye, because I (running Firefox on X11 on Linux) tried to reproduce the issue with the proof-of-concept links provided in the message and it completely failed. My clipboard contents were not affected at all.
Not to say it shouldn't be fixed, but I am a bit skeptical about the degree of alarm that is justified here - I mean, the scope of this seems like it may be something less than the "all Firefox+X11 users" suggested by the original post.
@diazona @nixCraft @FirefoxNightly @stevetex
(Sorry for the delay.) The demo at https://turistu.github.io/firefox/pastejack.html worked for me (FF 119.0 with X.Org 1.21.1.8 on Debian Trixie). Since it included a line break, xfce4-terminal popped up a warning when I tried to paste it with a middle click:
(Sorry for the delay.) The demo at https://turistu.github.io/firefox/pastejack.html worked for me (FF 119.0 with X.Org 1.21.1.8 on Debian Trixie). Since it included a line break, xfce4-terminal popped up a warning when I tried to paste it with a middle click:
JocelynAyodele@nixCraft Um...WHAT?!
Royce WilliamsMore complicated than it looks, and apparently largely not Firefox-specific. Counterpoint in the thread from an experienced vulnerability researcher:
https://www.openwall.com/lists/oss-security/2023/10/18/5
... Though the initial researcher claims otherwise:
https://www.openwall.com/lists/oss-security/2023/10/20/7
And a partial workaround (for the terminal cases) - disabling some characters in paste:
Random Damage π»@nixCraft requires JavaScript.
Run NoScript alongside your adblocker to prevent this and many other exploits
charlotte π@nixCraft worth noting that this is the middle-click-paste clipboard and not the ctrl(+shift)+v clipboard
mirabilos@nixCraft good thing I always quit Firefox as soon as Iβm done with it.
Takeaway: donβt paste from any selection while itβs running.
And maybe Bloatzilla should disable programmatic access to the PRIMARY selection, period.
Carl (He/Him)Is Firefox on Wayland included in "X11" in this context? (Sometimes xorg is referred to as "X11", thus my question.)
Orca π» | π | πͺ | π΄π³οΈββ§οΈ@nixCraft X (NOT the social media site formerly know as Twitter ;) is doomed, use something better or use with a VM.
https://floss.social/@XOrgFoundation/110769221673585385
https://floss.social/@XOrgFoundation/110769221673585385
freedesktop.org (@[email protected])
all the cool X developers left a while ago. it's fundamentally not suited to today's requirements. but hey! the future is now!
BogDrakonov@nixCraft suddenly I see why QubesOS is such a useful product.