While on a search for accessing the System clipboard via JavaScript, it seems I discovered a security hole in Webkit.
Usually system clipboard access is restricted in clipboard events like oncopy and onpaste. However I found that you can set the system clipboard in any context (e.g. a timer event).
This can be achieved by adding an IFrame containing a text input element into the document, and turning its design-mode / content-editable on. The execCommand will then become available via the added IFrame document. So to copy text to the system clipboard, you set the text input’s value (in the IFrame) to the text to be copied, then you select and focus the text input control, and finally issue a execCommand(“copy”) on the IFrame.
Click here for a demo, this has an example with malicious intent: where it hijacks the system clipboard by constantly setting its content to a malicious URL (note it does not harm your computer and it ends when you close the page). Extra efforts can be made to avoid scrolling issues when focusing/selection the text input by using absolute floats. The example also is triggered via a mouse click – a malicious script would probably start the copying as soon as it’s loaded.
I’m not sure if the developers of Webkit would consider this a security hole or not. I have tested it on Safari 3 (Windows and Mac) and Chrome 2 (in which it works). I have reported it to them.
Posted in General, News, Web Programming Tagged: access, chrome, clipboard, code, copy, dhtml, execcommand, hole, html, iframe, insecure, javascript, safari, security, web, webkit
