With Firefox on X11, any page can pastejack you anytime (middle button paste)

The X “primary selection”&#x2F;middle click paste behavior this takes advantage of is one of my least favorite Linux features and I have had it disabled for years, so I didn’t even know it had been changed&#x2F;removed in Wayland.<p>Having a single mouse button (that often has other functionality like autoscroll in Firefox) cause text highlighted in another app to paste in the focused app is super unintuitive to me, and caused a few significant annoyances unintentionally pasting secrets or private messages in the wrong place before I got rid of it.

&gt; For firefox running in Wayland, `writeXPrimary()` will only succeed when the firefox window (the main window, not necessarily the tab the code runs in) has the focus. Otherwise the selection will be cleared. At first I assumed that this is something specific to the Wayland protocol, but that turned out to be utterly false; it&#x27;s just some quirk, bug or &quot;feature&quot; specific to either firefox itself or GTK.<p>Most Wayland compositors will refuse clipboard requests from unfocused clients.<p>Additionally, the Wayland protocol carries an event identifier, so that the compositor can tie the clipboard request to a pointer&#x2F;keyboard&#x2F;touch event and take a better decision. (This metadata is missing for X11 clients, of course.)

I&#x27;m embarrassed that I&#x27;m confused enough (ignorance about how webpages and javascript modern things, etc work) to not answer this on my own, but does this mean:<p>1) Beware! any site you visit can, via javascript, inject whatever it wants into your clipboard (write access)<p>2) Beware! any site you visit can, via javascript, do whatever it wants with your clipboard (READ and write access) &lt;-- this would freak me out and require immediate opsec change on my part<p>3) some combination of the above.<p>4) something different.<p>I use exclusively Firefox (as opposed to any browser) and haven&#x27;t touched wayland. I also only type on keyboards with a trackpoint and a middle click button, and have for the past few decades. Hence, I&#x27;m sure I make heavy use of all the various methods of accessing clipboards..<p>(I&#x27;m guessing it&#x27;s closer to #1 than #2, I think I once saw a crypto address in my clipboard unexpectedly on a VM...)

I couldn&#x27;t get this working in librewolf, maybe the hardening it uses prevents this. It works like a hot damn in tor browser though, which is supposed to be fairly locked down. Don&#x27;t forget to turn off javascript before you leave home, kids. In chrome based browsers it rewrites the X11 paste buffer if you select anything on the page that&#x27;s running the script, which is effectively the old fashioned clipboard rewrite attack. This is a nice find, I like it.<p>To those wondering who would paste and execute without a second look, there are ways to hide text. You can also paste control characters, so if you pasted into vim the command would get executed without any visible feedback. Same could be true for emacs, someone who knows it better could pipe in.<p>Any time you run potentially malicious code (like clicking on a random link when you have javascript enabled) on the same computer as data you care about, you&#x27;re taking a risk. Sandboxing is a compromise, but one that&#x27;s usually worthwhile.

&gt; In firefox running on X11, any script from any page can freely write to the primary selection, and that can be easily exploited to run arbitrary code on the user&#x27;s machine.<p>This is a problem with web browsers. They shall not run untrusted code from the internet.<p>But we are now in the stage &quot;oh, cool, i can access my USB from internet&quot;.

… that they blocked the author&#x27;s extension is like icing on this WTF cake.<p>This is absolutely a bug, and almost certainly a security bug. If you consider pastejacking the clipboard within the threat model that you want to account for, selection-jacking like this is <i>absolutely</i> within it, as it&#x27;s a superset in terms of bad behavior.<p>(… but browsers have long maligned the primary selection on Linux. Neither Firefox nor Chrome have behaved properly for a long time, so it&#x27;s not really surprising that they don&#x27;t wanna when it comes to this bug. The primary selection is incredibly useful, but unique to Linux and even there, poorly understood amongst its userbase due to being a bit tricky to discover.)

This has been known for at least a decade or two already.<p>And a much worse attack exists: you copy e.g. shell code from the page, and instead of what you see, you paste something evil in your terminal.

Gentoo is great!<p><pre><code> cd &#x2F;etc&#x2F;portage&#x2F;patches&#x2F;www-client&#x2F;firefox&#x2F; nano nomiddleclickhijack.patch #paste patch, save emerge -av firefox</code></pre>

You can set clipboard.autocopy to false in about:config to disable this. It breaks the example, at least.<p>EDIT: I thought the behavior was preserved for textareas, as the comment box here still copied on select. But it suddenly disabled it here too. Restarting the browser is probably a safe bet :)

You should always paste into an editor first, just copying any text from a webpage is a risk.<p>There are even examples using terminal escape codes, to hide what happened.<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;privacy&#x2F;comments&#x2F;rv964x&#x2F;comment&#x2F;hr4z1fv&#x2F;?utm_source=share&amp;utm_medium=web2x&amp;context=3" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;privacy&#x2F;comments&#x2F;rv964x&#x2F;comment&#x2F;hr4...</a>

My list of reasons to block all javascript by default grows longer by the day. 90% of websites don&#x27;t need javascript <i>at all</i> to display the content I&#x27;m looking for, about 9% only require first party javascript, and the 1% left usually just gets me to close the tab and go somewhere else.

I am surprised that Firefox freely allows access to the clipboard. I&#x27;m using Brave and there&#x27;s an explicit permission for it that is disallowed by default.

Firefox tends to have worse security by default than other browsers so this isn&#x27;t a surprise to me.<p>Most browser exploits are delivered by JavaScript, so the safest course of action is to use NoScript judiciously, run the browser in a VM, and pray.

An interesting thing about X11 pasting is that the way it&#x27;s implemented (a request to the server to send a request event to the owner of the selection in question) the place you&#x27;re pasting from can actually see who is requesting the info and could make decisions based on that (even prompting for verification). I always thought that would be a great security feature for a password manager, though I don&#x27;t know if any actually do it.

This might be too controversial to say here, but I have no strong opinions on middle-click behavior one way or another.

For disabling X11 middle click paste, I found an interesting SO post but the best answer I saw and tested myself and it works, was the one by Suraj Inamdar about one third of the way down the page:<p><a href="https:&#x2F;&#x2F;unix.stackexchange.com&#x2F;questions&#x2F;24330&#x2F;how-can-i-turn-off-middle-mouse-button-paste-functionality-in-all-programs" rel="nofollow noreferrer">https:&#x2F;&#x2F;unix.stackexchange.com&#x2F;questions&#x2F;24330&#x2F;how-can-i-tur...</a><p>What sucks is I use middle click paste all the time so now I&#x27;ll have to decide if I want to leave it disabled for potentially improving security.

Middle mouse paste is broken in GTK. Glad someone pointed it out, I hope it gets fixed

Is there no link to a Firefox bug report for this, or am I just missing it?

This does not require javascript to be running either, that surprised me. But it&#x27;s not that big of an issue.

Doesn&#x27;t work on my KDE setup. Turned out I&#x27;d set the option to disable copy-via-selection in Klipper.

How is this affected by settings in Firefox to prevent sites from reading the clipboard?

why can the browser work with copy&#x2F;paste and intercept keys in the first place?<p>I would like to turn all that completely off.

Well yeah, this is one of the core issues that Wayland was built to address. X11 has zero security.

You guys have a middle button? Maaaan. :)<p>Edit: did y&#x27;all miss the smiley at the end of my comment?

Who pastes something and executes it without a second look?

Since when is openwall hosted in Russia? I only know because RU IP space is blocked at my gateway. Kind of ironic.

The problem is the middle paste option in Firefox. To turn it off do as follow:<p><pre><code> open a new tab type: about:config Accept the prompt type middlemouse.paste change value “true” to “false” (double click or switch on the rightside) restart firefox </code></pre> --does this solve it?