Messing With Copy/Paste Could Present Security Issues

from the just-let-copy-and-paste-work dept

John Gruber recently highlighted one of the more annoying things I’ve seen on multiple news websites lately: attempts to muck with basic copy & paste features. I’ve noticed it on Wired.com and SFGate.com among others. Gruber points out that it’s also happening on TechCrunch and The New Yorker’s website. From a user’s standpoint, what happens is that when you copy some text, and then paste it somewhere else, through some javascript shenanigans, it appends a bit of extra text that you did not copy, usually saying something like “read more:” with a URL linking back to the original story.

As someone who does a fair bit of copying and pasting in writing this blog, I agree with Gruber that this is a bit of a nuisance. It’s not a hugely annoying thing, but it is annoying. If I’m copying and pasting from your website, I know what your website is, and I am already planning to link back to it. Adding that superfluous text is just annoying and basically forcing my computer to do something I did not ask it to do.

Gruber tracked down the source of this annoyance: a company called Tynt, that not only enables this functionality for a bunch of sites that probably don’t realize how annoying it is, but also tracks what you copy by sending that info back to its server. That’s a bit creepy, frankly. Of course, since it’s javascript, it’s easy enough to block for those who know how to do that sort of thing. Still, Gruber’s analysis of this makes sense:

It’s a bunch of user-hostile SEO bullshit.

Everyone knows how copy and paste works. You select text. You copy. When you paste, what you get is exactly what you selected. The core product of the “copy/paste company” is a service that breaks copy and paste.

The pitch from Tynt to publishers is that their clipboard jiggery-pokery allows publishers to track where text copied from their website is being used, on the assumption that whoever is pasting the text is leaving the Tynt-inserted attribution URL, with its gibberish-looking tracking ID. This is, I believe, a dubious assumption. Who, when they paste such text and find this “Read more:” attribution line appended, doesn’t just delete it (and wonder how it got there)?

However, it may be even worse than that. Michael Scott points us to another analysis of this same issue, by Lance Cottrell, which highlights how this breaking the basic copy/paste functionality may be a security risk as well:

Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.

I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.

Bad things happen when you break basic functionality to shove in fun marketing tricks and spy tactics.

Filed Under: , ,
Companies: tynt

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Messing With Copy/Paste Could Present Security Issues”

Subscribe: RSS Leave a comment
41 Comments
weneedhelp (profile) says:

Firefox/IE - Disable

Firefox
Tools> Options> Content tab> Uncheck enable Javascript

IE 5.5/6:
Tools> Internet Options> Security> Internet> Custom Level> Disable Active scripting

IE7:
Tools> Options> Security> Internet> Custom level> Scroll down to Scripting and select the radio button to Enable or Disable it. You may also opt for IE7 to Prompt you to allow scripts to run.

Brian (profile) says:

NoScript

I have similar feeling as @WeNeedHelp. Javascript and active scripting is a huge problem… so disable it. I use a firefox plugin called Noscript. I can add the domains that I fully trust to a whitelist and things like Tynt to the blacklist of never accepting.

I’ve never had issues with what’s considered “drive-by-scripting” hacks. When I first read your story, I was wondering what the real issue was because I’ve copied and pasted information to send to colleagues and friends from the mentioned websites, but never had anything inserted.
I’ve added Tynt to my “untrusted” list on NoScript and won’t have an issue with them ever.

Overcast (profile) says:

I really don’t think about it, but if a site’s non-friendly to use, umm – I don’t use it.

I know that’s a – very minor – but quick way to get me to hit the ‘back’ button and proceed on down the search for another hit.

I don’t care, it’s their site – they can block what they want and it’s my choice as to what sites I want to frequent.

But I know if Techdirt blocks copy/paste; then I’ll quickly get annoyed and wander off. But I wonder…. how many more people frequent the site here maybe due to my pasting of articles with a link to the site…

There’s a few I just know offhand to skip over if I see a link on a search, because they are a pain.

FormerAC (profile) says:

NoScript is

NoScript is too much work for the average user.

I am a fairly savvy computer user. Every couple of months I give NoScript a try. I always uninstall it within a day.

Today I decide to try it again after reading this article.
On Techdirt alone I have to make decisions not only about Techdirt.com, but googlesyndication.com, backtype.com, fmpub.net and quantserve.com. Just for this one website. It is more trouble than it is worth. How much time is a user expected to devote to deciphering what is trustworthy and what is not? Even with NoScript, one mistake in allowing the wrong script and you have completely undone all your hard work.

FormerAC (profile) says:

Re: Copy/paste

Am I the only one who first pastes anything from the internet into Notepad? More than once I’ve attempted an internet copy/paste and gotten crap I didn’t want. Even happens with email and word processors today. If the program I am pasting into does not have a paste text only option, I routinely paste into Notepad first. Problem solved.

John Fenderson (profile) says:

Re: Not that much work....

I don’t review everything noscript blocks. I simply let it block everything. Sites I frequent get usually get unblocked (a two-click operation that can be permanent.) The fact is that most sites work just fine without more work than that.

Sites that require third-party scripting to work are sites I don’t visit much, but should I want to and I’m too busy/lazy to figure out which third party scripts are required, I can temporarily allow all scripts during that visit.

Anonymous Coward says:

Re: Re: Not that much work....

I totally agree. Those people who struggle so much with NoScript always puzzle me. I’ve got it installed right now and Techdirt works fine with EVERYTHING blocked, so there’s zero need to “decipher” the 200 scripts a site tries to run.

To be quite honest, the more decent sites don’t run hundreds of scripts and you often need only enable a single script for a site to work, if any. At least that’s my experience.

Brendan (profile) says:

Re: NoScript is

But you only have to do that for a very short time as you explore all your trusted sites.

Sure, I allow techdirt. Google syndication I don’t really need; it’s just ads. Google-analytics is an absolute nono … that’s the click and mouse tracking junk.

I’ve got all my trusted sites allowed and everything else blocked by default.

It’s really not that hard to train a new user to understand it. You teach them to first allow only temporarily the domain they are visiting, and if every thing seems ok, you allow it permanently.

If they accidentally allow all on the page, its not worse than browsing without it.

If they are too stupid to right click an icon and permit scripts, get off my computer and go home.

nasch (profile) says:

Re: Just get GreasMonkey

Except that NoScript is a whitelist rather than a blacklist. For AdBlock to deal with this, you would have to either add an exception yourself, or wait for your list to get updated. With NoScript, it’s automatically blocked from the get-go. And if they try tricks like changing domain names or something, that will be blocked too.

Danny says:

This would go one of two ways.

1. The copy/paster was going to add a link back to the original source thus all they’re gonna do is delete the extra bits and put their own link up (which is what I do at my blog).

2. The copy/paster is not going to add a link back to the original source thus all they’re gonna do is delete the extra bits.

So either you’re going to annoy the people who were going to link back anyway or add one extra step to people who weren’t going to link back anyway.

ComputerAddict (profile) says:

Getting to the point

I think the point of this article is that Javascript and/or Browsers should be blocking this kind of manipulations of core technology, and what was once a pretty harmless language making images appear and disappear, and simple little clocks on timers. Javascript’s former purpose reducing server / bandwidth load by making client computers do the work isn’t needed anymore nor is it being used that way. It took on a totally new role without overhauling itself and as a result turned into a huge security nightmare with ActiveX, AJAX, and other companion languages

Free Capitalist (profile) says:

Re: Getting to the point

what was once a pretty harmless language

Disagree there, in the beginning Javascript was a liability and a dog. Increased computing power and years of “refining” have soothed the latter.

It took on a totally new role without overhauling itself and as a result turned into a huge security nightmare with ActiveX, AJAX, and other companion languages

The troubling part of this is that the AJAX approach (not really a language) is at the heart of many rich media and app-like sites that led to the (now meaningless) term “Web 2.0”.

Javascript and its ilk may show many signs of “suckiness”, but they are the present and the immediate future of countless “home grown” business apps and popular, modern websites.

Anonymous Coward says:

Any security expert will tell anybody who ask that scripts are the doors to the kingdom, disable them or die.

Of course some people will have you believe the contrary so they can show you ad’s 🙂

Even thought there is some virtualization(e.g. zonealarm forcefield) available from anti-virus PACKAGES see the all caps there the package not the scanner, most people don’t even know how to use it. Hint it can be as easy as ticking a box, but still those virtualization solutions still have some leaky points mainly because they try very hard to be user friendly and security is an after thought.

Andrew F (profile) says:

Opt-out

http://www.tynt.com/support/opt-inout/

Also, another side effect is that their JS sometimes has some odd bugs. I had an issue on the TechCrunch site the other day where it was preventing me from copying text that I had typed inside the comment box. If I’m copying and pasting my own text, there’s no conceivable reason why you’d want to muck with that.

I mentioned this on Twitter briefly and the Tynt person said they were working on it. Still, very annoying at times.

Jim Hirshfield (user link) says:

Assumptions

Hi Mike,

I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We’re upfront about the opt-out feature – it’s on our homepage.

I’d like to correct the assumptions. We’re not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.

We’re sorry it seems creepy on the surface. That’s not the intent, nor do I believe it to be the reality. Again, for those that don’t want their anonymous data collected, they can opt-out – in the same way that you can from ad networks.

As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber’s opinion that proper “web etiquette” dictates that we should (and are?) linking back already. That’s not emblematic of the typical internet user (Did you see Danny Sullivan’s piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.

Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.

As for security, we take that very seriously. We’re listening and taking note.

Thanks,
Jim Hirshfield
VP of Business Development
Tynt Multimedia

Mike Masnick (profile) says:

Re: Assumptions

I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We’re upfront about the opt-out feature – it’s on our homepage.

Oh come on. The vast majority of people this effects will NEVER see YOUR home page. I’ve seen this “feature” on tons of sites, and none of them mention Tynt. Most people have no idea it’s your company doing this.

I’d like to correct the assumptions. We’re not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.

By breaking copy/paste?

We’re sorry it seems creepy on the surface. That’s not the intent, nor do I believe it to be the reality. Again, for those that don’t want their anonymous data collected, they can opt-out – in the same way that you can from ad networks.

Again, only if they know about you, but none of the sites using your thing make that clear.

As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber’s opinion that proper “web etiquette” dictates that we should (and are?) linking back already. That’s not emblematic of the typical internet user (Did you see Danny Sullivan’s piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.

First of all, Danny’s thing was TOTALLY different. That was not a case of copy/pasting at all, but the press rewriting his article. That’s a total apples and oranges situation.

And, I’m sorry, but that’s ridiculous to think that most people don’t link back.

Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.

Yeah, you’re picking up SEO from spammers by annoying all people who expect copy and paste to work as it should.

What you’re doing is not a good thing.

Eric says:

Browser flaw being abused

Regardless of how creepy Tynt’s abuse is, this issue boils down to a browser flaw. Javascript should not be allowing access to the users’ text selection. If the only way to remove this is by blocking mouse-down/up events from the browser, so be it.

This wouldnt be anywhere near the first time a “feature” in javascript was abused horribly to break basic funcionality. Who ever thought letting web pages resized and move your browser window was a good idea? Or replacing status bar text (a HUGE security flaw).

I would much rather “approve” extended JS functionality on the few sites that legitimately use it, rather than have everything default to on. Just like Flash doesn’t leave your webcam wide open to every page you visit.

You better believe Tynt and companies like them would be snapping pictures of you with your own webcam if Flash or Javascript let them – it’s up to the web browsers to vigilantly protect us from this sort of abuse, and remove these features once companies or hackers find a way to abuse them.

Randall (profile) says:

What Tynt should have done

If Tynt would simply include their name somewhere in the output of the pasted text, then at least it would be more reassuring. But as it stands, most users have no idea how to opt out of this “feature”, so it is hard to believe that no wrongdoing is taking place. When you change basic functionality of the user interface, you need to hold yourself accountable.

End User 404 says:

Sure you are worm

To Mr Hirshfield,

You and your kind need to be in jail for this sort of behavior on the internet. They stick script kiddies in jail all the time for much less; yet somehow scourge like you seem to be able to avoid wearing a prison number. I wonder why that is Mr Hirshfield?

Only difference between scum like you and hackers is that you somehow manage to get a business license to do your money changing. And for the most part hacker have a sense of ethics to the computer world.

The BS line of people can “opt-out,” doesn’t wash. End users didn’t even know who pond scum like you were until we went looking to figure out who hijacked our clipboards.

One day, you and people like you will stand judgement.

It is my wish you, and parasites like you bear the full brunt of that judgement when it comes.

Have a nice day…

Raven41191 says:

Write your own material.

WTF is wrong with people now-a-days? You are the laziest people. Why copy and paste *cough* steal *cough* other people’s work? If you can’t write an article yourself, close down you f’n site. You sound like a bunch of people that don’t have an original thought to yourself, you have to steal someone else’s.

Write your own material!!!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »