Messing With Copy/Paste Could Present Security Issues

from the just-let-copy-and-paste-work dept

John Gruber recently highlighted one of the more annoying things I've seen on multiple news websites lately: attempts to muck with basic copy & paste features. I've noticed it on Wired.com and SFGate.com among others. Gruber points out that it's also happening on TechCrunch and The New Yorker's website. From a user's standpoint, what happens is that when you copy some text, and then paste it somewhere else, through some javascript shenanigans, it appends a bit of extra text that you did not copy, usually saying something like "read more:" with a URL linking back to the original story.

As someone who does a fair bit of copying and pasting in writing this blog, I agree with Gruber that this is a bit of a nuisance. It's not a hugely annoying thing, but it is annoying. If I'm copying and pasting from your website, I know what your website is, and I am already planning to link back to it. Adding that superfluous text is just annoying and basically forcing my computer to do something I did not ask it to do.

Gruber tracked down the source of this annoyance: a company called Tynt, that not only enables this functionality for a bunch of sites that probably don't realize how annoying it is, but also tracks what you copy by sending that info back to its server. That's a bit creepy, frankly. Of course, since it's javascript, it's easy enough to block for those who know how to do that sort of thing. Still, Gruber's analysis of this makes sense:
It's a bunch of user-hostile SEO bullshit.

Everyone knows how copy and paste works. You select text. You copy. When you paste, what you get is exactly what you selected. The core product of the "copy/paste company" is a service that breaks copy and paste.

The pitch from Tynt to publishers is that their clipboard jiggery-pokery allows publishers to track where text copied from their website is being used, on the assumption that whoever is pasting the text is leaving the Tynt-inserted attribution URL, with its gibberish-looking tracking ID. This is, I believe, a dubious assumption. Who, when they paste such text and find this "Read more:" attribution line appended, doesn't just delete it (and wonder how it got there)?
However, it may be even worse than that. Michael Scott points us to another analysis of this same issue, by Lance Cottrell, which highlights how this breaking the basic copy/paste functionality may be a security risk as well:
Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.

I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.
Bad things happen when you break basic functionality to shove in fun marketing tricks and spy tactics.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    weneedhelp (profile), Jun 3rd, 2010 @ 11:24am

    Firefox/IE - Disable

    Firefox
    Tools> Options> Content tab> Uncheck enable Javascript

    IE 5.5/6:
    Tools> Internet Options> Security> Internet> Custom Level> Disable Active scripting

    IE7:
    Tools> Options> Security> Internet> Custom level> Scroll down to Scripting and select the radio button to Enable or Disable it. You may also opt for IE7 to Prompt you to allow scripts to run.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Simon, Jun 3rd, 2010 @ 11:30am

    To be clear....

    ... I don't think anyone is saying the Tynt implementation is insecure (as annoying as it is), but the fundamental ability for JavaScript to be able to write to the copy/paste buffer could be a problem.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jun 3rd, 2010 @ 11:32am

    noscript, again saves the day. Blocking scripting should be the default behavior for all browsers. Yes it would break the web as we know it, and that is a Good Thing.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Brian (profile), Jun 3rd, 2010 @ 11:35am

    NoScript

    I have similar feeling as @WeNeedHelp. Javascript and active scripting is a huge problem... so disable it. I use a firefox plugin called Noscript. I can add the domains that I fully trust to a whitelist and things like Tynt to the blacklist of never accepting. I've never had issues with what's considered "drive-by-scripting" hacks. When I first read your story, I was wondering what the real issue was because I've copied and pasted information to send to colleagues and friends from the mentioned websites, but never had anything inserted. I've added Tynt to my "untrusted" list on NoScript and won't have an issue with them ever.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Simon, Jun 3rd, 2010 @ 11:39am

    Re: Whack a Taynt

    I just added their domain to adblock. Works so far and quick to update if need be,

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Overcast (profile), Jun 3rd, 2010 @ 12:05pm

    I really don't think about it, but if a site's non-friendly to use, umm - I don't use it.

    I know that's a - very minor - but quick way to get me to hit the 'back' button and proceed on down the search for another hit.

    I don't care, it's their site - they can block what they want and it's my choice as to what sites I want to frequent.

    But I know if Techdirt blocks copy/paste; then I'll quickly get annoyed and wander off. But I wonder.... how many more people frequent the site here maybe due to my pasting of articles with a link to the site...

    There's a few I just know offhand to skip over if I see a link on a search, because they are a pain.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    FormerAC (profile), Jun 3rd, 2010 @ 12:10pm

    NoScript is

    NoScript is too much work for the average user.

    I am a fairly savvy computer user. Every couple of months I give NoScript a try. I always uninstall it within a day.

    Today I decide to try it again after reading this article.
    On Techdirt alone I have to make decisions not only about Techdirt.com, but googlesyndication.com, backtype.com, fmpub.net and quantserve.com. Just for this one website. It is more trouble than it is worth. How much time is a user expected to devote to deciphering what is trustworthy and what is not? Even with NoScript, one mistake in allowing the wrong script and you have completely undone all your hard work.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    FormerAC (profile), Jun 3rd, 2010 @ 12:12pm

    Copy/paste

    Am I the only one who first pastes anything from the internet into Notepad? More than once I've attempted an internet copy/paste and gotten crap I didn't want. Even happens with email and word processors today. If the program I am pasting into does not have a paste text only option, I routinely paste into Notepad first. Problem solved.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    :Lobo Santo (profile), Jun 3rd, 2010 @ 12:23pm

    Re: Copy/paste

    I do that. Rocking good way to removing formatting and such.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Zac Morris (profile), Jun 3rd, 2010 @ 12:25pm

    Just get GreasMonkey

    Just get GreaseMonkey and/or AdBlock, better than turning off all JavaScript.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    John Fenderson (profile), Jun 3rd, 2010 @ 12:38pm

    Not that much work....

    I don't review everything noscript blocks. I simply let it block everything. Sites I frequent get usually get unblocked (a two-click operation that can be permanent.) The fact is that most sites work just fine without more work than that.

    Sites that require third-party scripting to work are sites I don't visit much, but should I want to and I'm too busy/lazy to figure out which third party scripts are required, I can temporarily allow all scripts during that visit.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Pitabred (profile), Jun 3rd, 2010 @ 12:40pm

    Re: Firefox/IE - Disable

    That's nice and all, but if you use ABP, you can also just block anything from http://*.tynt.com/ and that'll take care of it, too. I also do that for doubleclick.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jun 3rd, 2010 @ 12:40pm

    Re: NoScript is

    Trust none of them, i.e. do nothing (the default)?

    At the most, trust the base site you are on if you trust the author.

    Security requires effort, like math, Barbie.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Danny, Jun 3rd, 2010 @ 12:41pm

    This would go one of two ways.

    1. The copy/paster was going to add a link back to the original source thus all they're gonna do is delete the extra bits and put their own link up (which is what I do at my blog).

    2. The copy/paster is not going to add a link back to the original source thus all they're gonna do is delete the extra bits.


    So either you're going to annoy the people who were going to link back anyway or add one extra step to people who weren't going to link back anyway.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Pitabred (profile), Jun 3rd, 2010 @ 12:42pm

    Re: Copy/paste

    I only paste into Notepad if it doesn't do the right thing at first. Ctrl+Z works in all of my programs, and 75% of the time there is no weird formatting attached.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    ComputerAddict (profile), Jun 3rd, 2010 @ 12:48pm

    Getting to the point

    I think the point of this article is that Javascript and/or Browsers should be blocking this kind of manipulations of core technology, and what was once a pretty harmless language making images appear and disappear, and simple little clocks on timers. Javascript's former purpose reducing server / bandwidth load by making client computers do the work isn't needed anymore nor is it being used that way. It took on a totally new role without overhauling itself and as a result turned into a huge security nightmare with ActiveX, AJAX, and other companion languages

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Fushta, Jun 3rd, 2010 @ 1:03pm

    Fixed it for ya

    "Gruber tracked down the source of this annoyance: a company called Taynt."

    Kidding aside, if you're going to cut/paste anything from a website, always scan the code for unnecesary stuff, whether it's harmless or harmful, and whack it.

    Clean code is happy code.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Free Capitalist (profile), Jun 3rd, 2010 @ 1:39pm

    Re: Getting to the point

    what was once a pretty harmless language


    Disagree there, in the beginning Javascript was a liability and a dog. Increased computing power and years of "refining" have soothed the latter.

    It took on a totally new role without overhauling itself and as a result turned into a huge security nightmare with ActiveX, AJAX, and other companion languages


    The troubling part of this is that the AJAX approach (not really a language) is at the heart of many rich media and app-like sites that led to the (now meaningless) term "Web 2.0".

    Javascript and its ilk may show many signs of "suckiness", but they are the present and the immediate future of countless "home grown" business apps and popular, modern websites.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    aclearjob (profile), Jun 3rd, 2010 @ 2:22pm

    cbc.ca

    cbc.ca does this now as well.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jun 3rd, 2010 @ 2:29pm

    Re: Not that much work....

    I totally agree. Those people who struggle so much with NoScript always puzzle me. I've got it installed right now and Techdirt works fine with EVERYTHING blocked, so there's zero need to "decipher" the 200 scripts a site tries to run.

    To be quite honest, the more decent sites don't run hundreds of scripts and you often need only enable a single script for a site to work, if any. At least that's my experience.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    interval, Jun 3rd, 2010 @ 2:35pm

    Re:

    Agreed, NoScript is a godsend. I also find that while the right click editing context menu in the browser is disabled often times the edit selections in the main menu are still functional. But, when all else fails, disable that java script.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jun 3rd, 2010 @ 2:55pm

    Any security expert will tell anybody who ask that scripts are the doors to the kingdom, disable them or die.

    Of course some people will have you believe the contrary so they can show you ad's :)

    Even thought there is some virtualization(e.g. zonealarm forcefield) available from anti-virus PACKAGES see the all caps there the package not the scanner, most people don't even know how to use it. Hint it can be as easy as ticking a box, but still those virtualization solutions still have some leaky points mainly because they try very hard to be user friendly and security is an after thought.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Jun 3rd, 2010 @ 3:17pm

    Any idea how Tynt sidesteps Firefox's default disabling of clipboard manipulation by scripts?

    Does it just insert a hidden citation and reposition the selection in the interval between selection and copying?

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Andrew F (profile), Jun 3rd, 2010 @ 4:23pm

    Opt-out

    http://www.tynt.com/support/opt-inout/

    Also, another side effect is that their JS sometimes has some odd bugs. I had an issue on the TechCrunch site the other day where it was preventing me from copying text that I had typed inside the comment box. If I'm copying and pasting my own text, there's no conceivable reason why you'd want to muck with that.

    I mentioned this on Twitter briefly and the Tynt person said they were working on it. Still, very annoying at times.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    nasch (profile), Jun 3rd, 2010 @ 8:17pm

    Re: Firefox/IE - Disable

    Or install NoScript. That way you can still run scripts on sites you want to, but stay away from any cross-site scripting like this Tynt (taint?) nonsense.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Brendan (profile), Jun 3rd, 2010 @ 11:21pm

    Re: NoScript is

    But you only have to do that for a very short time as you explore all your trusted sites.

    Sure, I allow techdirt. Google syndication I don't really need; it's just ads. Google-analytics is an absolute nono ... that's the click and mouse tracking junk.

    I've got all my trusted sites allowed and everything else blocked by default.

    It's really not that hard to train a new user to understand it. You teach them to first allow only temporarily the domain they are visiting, and if every thing seems ok, you allow it permanently.

    If they accidentally allow all on the page, its not worse than browsing without it.

    If they are too stupid to right click an icon and permit scripts, get off my computer and go home.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    nasch (profile), Jun 4th, 2010 @ 7:57am

    Re: Just get GreasMonkey

    Except that NoScript is a whitelist rather than a blacklist. For AdBlock to deal with this, you would have to either add an exception yourself, or wait for your list to get updated. With NoScript, it's automatically blocked from the get-go. And if they try tricks like changing domain names or something, that will be blocked too.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Jim Hirshfield, Jun 5th, 2010 @ 6:14am

    Assumptions

    Hi Mike,

    I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We're upfront about the opt-out feature - it's on our homepage.

    I'd like to correct the assumptions. We're not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.

    We're sorry it seems creepy on the surface. That's not the intent, nor do I believe it to be the reality. Again, for those that don't want their anonymous data collected, they can opt-out - in the same way that you can from ad networks.

    As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber's opinion that proper "web etiquette" dictates that we should (and are?) linking back already. That's not emblematic of the typical internet user (Did you see Danny Sullivan's piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.

    Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.

    As for security, we take that very seriously. We're listening and taking note.

    Thanks,
    Jim Hirshfield
    VP of Business Development
    Tynt Multimedia

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    nasch (profile), Jun 5th, 2010 @ 9:36am

    Re: Assumptions

    Again, for those that don't want their anonymous data collected, they can opt-out - in the same way that you can from ad networks.

    True, I opt out of both in the same way: not letting them onto my computer in the first place. ;-)

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Mike Masnick (profile), Jun 5th, 2010 @ 11:27am

    Re: Assumptions

    I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We're upfront about the opt-out feature - it's on our homepage.

    Oh come on. The vast majority of people this effects will NEVER see YOUR home page. I've seen this "feature" on tons of sites, and none of them mention Tynt. Most people have no idea it's your company doing this.

    I'd like to correct the assumptions. We're not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.

    By breaking copy/paste?

    We're sorry it seems creepy on the surface. That's not the intent, nor do I believe it to be the reality. Again, for those that don't want their anonymous data collected, they can opt-out - in the same way that you can from ad networks.

    Again, only if they know about you, but none of the sites using your thing make that clear.

    As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber's opinion that proper "web etiquette" dictates that we should (and are?) linking back already. That's not emblematic of the typical internet user (Did you see Danny Sullivan's piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.

    First of all, Danny's thing was TOTALLY different. That was not a case of copy/pasting at all, but the press rewriting his article. That's a total apples and oranges situation.

    And, I'm sorry, but that's ridiculous to think that most people don't link back.

    Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.

    Yeah, you're picking up SEO from spammers by annoying all people who expect copy and paste to work as it should.

    What you're doing is not a good thing.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Offshoreally only, Jul 3rd, 2010 @ 1:26am

    It's is really graveling when someone copies some content your original content form your sites and paste to some other place.It's kinda theft from my point of view since you are stealing someone property...

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    nasch (profile), Jul 3rd, 2010 @ 5:41pm

    Re:

    Graveling? It's not theft and they're not stealing. If they were stealing, you would be missing something after they did it. You still have everything that you had before, so they didn't steal anything from you. I'm not saying it's right or legal, only that it's different from stealing.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Eric, Jul 14th, 2010 @ 12:23pm

    Browser flaw being abused

    Regardless of how creepy Tynt's abuse is, this issue boils down to a browser flaw. Javascript should not be allowing access to the users' text selection. If the only way to remove this is by blocking mouse-down/up events from the browser, so be it.

    This wouldnt be anywhere near the first time a "feature" in javascript was abused horribly to break basic funcionality. Who ever thought letting web pages resized and move your browser window was a good idea? Or replacing status bar text (a HUGE security flaw).

    I would much rather "approve" extended JS functionality on the few sites that legitimately use it, rather than have everything default to on. Just like Flash doesn't leave your webcam wide open to every page you visit.

    You better believe Tynt and companies like them would be snapping pictures of you with your own webcam if Flash or Javascript let them - it's up to the web browsers to vigilantly protect us from this sort of abuse, and remove these features once companies or hackers find a way to abuse them.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Randall, Aug 26th, 2010 @ 4:29pm

    What Tynt should have done

    If Tynt would simply include their name somewhere in the output of the pasted text, then at least it would be more reassuring. But as it stands, most users have no idea how to opt out of this "feature", so it is hard to believe that no wrongdoing is taking place. When you change basic functionality of the user interface, you need to hold yourself accountable.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Christopher (profile), Aug 31st, 2010 @ 7:35pm

    Re: Re: Firefox/IE - Disable

    I haven't even seen any of this nonsense. Some guy was whining about this on Cnet.com, and I went there with Firefox/Minefield, Opera 10.70, Chrome 7 and IE8.... no problems copying and pasting.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Christopher (profile), Aug 31st, 2010 @ 7:37pm

    Re:

    No, it isn't a good thing. A HELL OF A LOT of the internet relies on scripting, and it is PART OF THE HTML STANDARDS!

    Now, should there be some things that scripts aren't allowed to do? Hell yes, and Mozilla and others are realizing that and BLOCKING those behaviors today.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Christopher (profile), Aug 31st, 2010 @ 7:39pm

    Re: Re: Not that much work....

    Eh... not always anymore. On CNN.com, I have to allow scripts from about 10 sites or the site is broken and commenting on stories is broken.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    End User 404, Aug 21st, 2011 @ 3:47pm

    Sure you are worm

    To Mr Hirshfield,

    You and your kind need to be in jail for this sort of behavior on the internet. They stick script kiddies in jail all the time for much less; yet somehow scourge like you seem to be able to avoid wearing a prison number. I wonder why that is Mr Hirshfield?

    Only difference between scum like you and hackers is that you somehow manage to get a business license to do your money changing. And for the most part hacker have a sense of ethics to the computer world.

    The BS line of people can "opt-out," doesn't wash. End users didn't even know who pond scum like you were until we went looking to figure out who hijacked our clipboards.

    One day, you and people like you will stand judgement.

    It is my wish you, and parasites like you bear the full brunt of that judgement when it comes.

    Have a nice day...

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Raven41191, Jan 23rd, 2012 @ 10:12pm

    Write your own material.

    WTF is wrong with people now-a-days? You are the laziest people. Why copy and paste *cough* steal *cough* other people's work? If you can't write an article yourself, close down you f'n site. You sound like a bunch of people that don't have an original thought to yourself, you have to steal someone else's.

    Write your own material!!!

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    nasch (profile), Jan 24th, 2012 @ 10:40am

    Re: Write your own material.

    If you can't write an article yourself, close down you f'n site.

    You're right, this site is terrible. You should not visit it again. Find someplace more original, and post your comments there.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This