nixCraft 🐧Oct 21, 2023
With firefox on X11 (#Linux and #Unix machines), any page can pastejack you anytime https://www.openwall.com/lists/oss-security/2023/10/17/1 #security #infosec
oss-security - with firefox on X11, any page can pastejack you anytime

Show threadAdam KatzOct 21, 2023

@nixCraft Wow, this is damning. I know Mozilla isn't focused on Linux, but this has a very simple fix.

In the meanwhile, I'm at least somewhat protected by xfce4-terminal, which warns me before pasting anything with a line break.

Cc @FirefoxNightly @stevetex @firefox

Show threadDavid Zaslavsky

@adamhotep @nixCraft @FirefoxNightly @stevetex @firefox hmm... I feel like there must be more to this story than meets the eye, because I (running Firefox on X11 on Linux) tried to reproduce the issue with the proof-of-concept links provided in the message and it completely failed. My clipboard contents were not affected at all.

Not to say it shouldn't be fixed, but I am a bit skeptical about the degree of alarm that is justified here - I mean, the scope of this seems like it may be something less than the "all Firefox+X11 users" suggested by the original post.

Oct 22, 2023 at 10:22pmWeb
Show threadAdam KatzNov 3, 2023
@diazona @nixCraft @FirefoxNightly @stevetex
(Sorry for the delay.) The demo at https://turistu.github.io/firefox/pastejack.html worked for me (FF 119.0 with X.Org 1.21.1.8 on Debian Trixie). Since it included a line break, xfce4-terminal popped up a warning when I tried to paste it with a middle click:
firefox pastejack example