CTRL+C + CTRL+V = XSS

Quirks in the copy and paste functionality used by web browsers, text editors, and websites can be abused to execute cross-site scripting (XSS) attacks and data exfiltration, a security researcher has discovered.

Users put themselves at risk if they copy content from malicious sites to their clipboard, then paste that data to a WYSIWYG editor within a legitimate website.

Building on recently published research that focused on the TinyMCE text editor, Michał Bentkowski published a deep dive into his copy and paste exploits yesterday (June 15).

The researcher, who also discovered an XSS flaw in CKEditor this year, won bug bounties totaling more than $30,000 after unearthing four security issues in web browsers and five vulnerabilities in rich-text editors.

Building on ‘Copy and Pest’

Bentkowski, who is chief security researcher at Polish cybersecurity outfit Securitum, said his work built on 2015 research from Mario Heiderich, who showed how copying data from non-browser applications like LibreOffice or Microsoft Word and pasting it into browsers could lead to XSS.

As well as showing that data exfiltration is another potential outcome, Bentkowski demonstrated that JavaScript WYSIWYG editors would introduce security flaws even if browsers were themselves inoculated from sanitization bypass flaws.

“A JavaScript code can ignore the browser’s sanitization process and handle it manually,” he explained.

“Every popular WYSIWYG editor handles the paste event by itself” in order to remove dangerous elements, properly handle content from popular editors, and normalize pasted elements.”

Bentkowski also demonstrated that “copying and pasting between two browser tabs is more likely to be exploited than copying from an external application and pasting in the browser.”

His research focused on formatted text, “since it is equivalent to HTML markup in the world of browsers”.

Sanitizer bypass bonanza

Bentkowski, who has created a ‘Copy & Paste Playground’ to allow bug hunters to explore the “enormous attack surface”, found at least one sanitizer bypass in the Chromium, Firefox, Safari, and Edge browsers.

For instance, a universal XSS that has now been fixed in Chromium 79 could be triggered on Gmail, Wikipedia, and Blogger, as a proof of concept he furnished to Google demonstrated.

A second Chromium bug leaked CSS data from the page, including session tokens or a user’s personal information. Another video demonstrating the exploit within Gmail netted Bentkowski a huge $10,000 reward.

Two Firefox flaws, meanwhile, centered on the pasting of stylesheets from the clipboard.

Outlined in more depth in research he published in February, the researcher demonstrated that you can leak data via CSS with a single injection point, while he showed how a mutation XSS to Firefox affected Aloha Editor, among other rival tools.

Visual editor zero-day

Bentkowski told The Daily Swig that a flaw in the Froala WYSIWYG HTML editor remains a zero-day vulnerability.

“Froala is guilty of carrying out extensive HTML processing using regular expressions and string processing”, he said in his post. This was cited as “another fine example that processing HTML as strings is almost always a bad idea.”

Bentkowski has created a Closure playground for a flaw in Google’s Closure Library sanitizer that affects Gmail users, but is exploitable only in conjunction with a browser bug.


RECOMMENDED Google email domains spoofed by SMTP exploit in G Suite


An exploit successfully levied against Google Docs used a non-HTML content type and could be mounted via DOM clobbering as well as XSS.

Another, unnamed application was also vulnerable to the flaw, which reflects the fact that “certain editors let the browsers do the initial sanitization and then perform some operations on pre-sanitized content.”

Flaws in TinyMCE, arguably the most popular WYSIWYG HTML editor, prompted the developer to release two security advisories urging application developers to upgrade.

Developers of CKEditor, meanwhile, fixed a vulnerability Bentkowski found in CKEditor 4.

‘Extremely vague’

“I have shown that pasting content from clipboard appears to be an underestimated attack vector,” Bentkowski said in his research post.

Describing the “specification of Clipboard APIs” as “extremely vague on sanitizing content on pasting”, he urged browser vendors to develop specific sanitization rules that “are safe and consistent” across all browsers.

He told The Daily Swig: “I expect more attacks in the coming months. I hope that my research will raise awareness and make more people report bugs in WYSIWYG editors because my impression is that they’re not well protected against these types of attacks in general.”


READ MORE SSB-Server vulnerability reveals contents of private messages