Messing With Copy/Paste Could Present Security Issues
from the just-let-copy-and-paste-work dept
John Gruber recently highlighted one of the more annoying things I've seen on multiple news websites lately: attempts to muck with basic copy & paste features. I've noticed it on Wired.com and SFGate.com among others. Gruber points out that it's also happening on TechCrunch and The New Yorker's website. From a user's standpoint, what happens is that when you copy some text, and then paste it somewhere else, through some javascript shenanigans, it appends a bit of extra text that you did not copy, usually saying something like "read more:" with a URL linking back to the original story.As someone who does a fair bit of copying and pasting in writing this blog, I agree with Gruber that this is a bit of a nuisance. It's not a hugely annoying thing, but it is annoying. If I'm copying and pasting from your website, I know what your website is, and I am already planning to link back to it. Adding that superfluous text is just annoying and basically forcing my computer to do something I did not ask it to do.
Gruber tracked down the source of this annoyance: a company called Tynt, that not only enables this functionality for a bunch of sites that probably don't realize how annoying it is, but also tracks what you copy by sending that info back to its server. That's a bit creepy, frankly. Of course, since it's javascript, it's easy enough to block for those who know how to do that sort of thing. Still, Gruber's analysis of this makes sense:
It's a bunch of user-hostile SEO bullshit.However, it may be even worse than that. Michael Scott points us to another analysis of this same issue, by Lance Cottrell, which highlights how this breaking the basic copy/paste functionality may be a security risk as well:
Everyone knows how copy and paste works. You select text. You copy. When you paste, what you get is exactly what you selected. The core product of the "copy/paste company" is a service that breaks copy and paste.
The pitch from Tynt to publishers is that their clipboard jiggery-pokery allows publishers to track where text copied from their website is being used, on the assumption that whoever is pasting the text is leaving the Tynt-inserted attribution URL, with its gibberish-looking tracking ID. This is, I believe, a dubious assumption. Who, when they paste such text and find this "Read more:" attribution line appended, doesn't just delete it (and wonder how it got there)?
Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.Bad things happen when you break basic functionality to shove in fun marketing tricks and spy tactics.
I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Firefox/IE - Disable
Tools> Options> Content tab> Uncheck enable Javascript
IE 5.5/6:
Tools> Internet Options> Security> Internet> Custom Level> Disable Active scripting
IE7:
Tools> Options> Security> Internet> Custom level> Scroll down to Scripting and select the radio button to Enable or Disable it. You may also opt for IE7 to Prompt you to allow scripts to run.
[ link to this | view in thread ]
To be clear....
[ link to this | view in thread ]
Whack a Taynt
Several people have re-posted the /etc/hosts method of blocking tynt (adding the tynt collection server to your hosts file as loopback 127.0.0.1). However I doubt it will take long before Tynt defeats this by hard coding their IPs or using a multitude of different registered host names.
Browser based fixes might also take a simplistic approach to the problem, which could then be circumvented anew.
Sounds like Javascript needs to be gimped thanks to one bunch of money grabbing assholes.
[ link to this | view in thread ]
[ link to this | view in thread ]
NoScript
[ link to this | view in thread ]
Re: Whack a Taynt
[ link to this | view in thread ]
I know that's a - very minor - but quick way to get me to hit the 'back' button and proceed on down the search for another hit.
I don't care, it's their site - they can block what they want and it's my choice as to what sites I want to frequent.
But I know if Techdirt blocks copy/paste; then I'll quickly get annoyed and wander off. But I wonder.... how many more people frequent the site here maybe due to my pasting of articles with a link to the site...
There's a few I just know offhand to skip over if I see a link on a search, because they are a pain.
[ link to this | view in thread ]
NoScript is
I am a fairly savvy computer user. Every couple of months I give NoScript a try. I always uninstall it within a day.
Today I decide to try it again after reading this article.
On Techdirt alone I have to make decisions not only about Techdirt.com, but googlesyndication.com, backtype.com, fmpub.net and quantserve.com. Just for this one website. It is more trouble than it is worth. How much time is a user expected to devote to deciphering what is trustworthy and what is not? Even with NoScript, one mistake in allowing the wrong script and you have completely undone all your hard work.
[ link to this | view in thread ]
Copy/paste
[ link to this | view in thread ]
Re: Copy/paste
[ link to this | view in thread ]
Just get GreasMonkey
[ link to this | view in thread ]
Not that much work....
Sites that require third-party scripting to work are sites I don't visit much, but should I want to and I'm too busy/lazy to figure out which third party scripts are required, I can temporarily allow all scripts during that visit.
[ link to this | view in thread ]
Re: Firefox/IE - Disable
[ link to this | view in thread ]
Re: NoScript is
At the most, trust the base site you are on if you trust the author.
Security requires effort, like math, Barbie.
[ link to this | view in thread ]
This would go one of two ways.
2. The copy/paster is not going to add a link back to the original source thus all they're gonna do is delete the extra bits.
So either you're going to annoy the people who were going to link back anyway or add one extra step to people who weren't going to link back anyway.
[ link to this | view in thread ]
Re: Copy/paste
[ link to this | view in thread ]
Getting to the point
[ link to this | view in thread ]
Fixed it for ya
Kidding aside, if you're going to cut/paste anything from a website, always scan the code for unnecesary stuff, whether it's harmless or harmful, and whack it.
Clean code is happy code.
[ link to this | view in thread ]
Re: Getting to the point
Disagree there, in the beginning Javascript was a liability and a dog. Increased computing power and years of "refining" have soothed the latter.
The troubling part of this is that the AJAX approach (not really a language) is at the heart of many rich media and app-like sites that led to the (now meaningless) term "Web 2.0".
Javascript and its ilk may show many signs of "suckiness", but they are the present and the immediate future of countless "home grown" business apps and popular, modern websites.
[ link to this | view in thread ]
cbc.ca
[ link to this | view in thread ]
Re: Not that much work....
To be quite honest, the more decent sites don't run hundreds of scripts and you often need only enable a single script for a site to work, if any. At least that's my experience.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Of course some people will have you believe the contrary so they can show you ad's :)
Even thought there is some virtualization(e.g. zonealarm forcefield) available from anti-virus PACKAGES see the all caps there the package not the scanner, most people don't even know how to use it. Hint it can be as easy as ticking a box, but still those virtualization solutions still have some leaky points mainly because they try very hard to be user friendly and security is an after thought.
[ link to this | view in thread ]
Does it just insert a hidden citation and reposition the selection in the interval between selection and copying?
[ link to this | view in thread ]
Opt-out
Also, another side effect is that their JS sometimes has some odd bugs. I had an issue on the TechCrunch site the other day where it was preventing me from copying text that I had typed inside the comment box. If I'm copying and pasting my own text, there's no conceivable reason why you'd want to muck with that.
I mentioned this on Twitter briefly and the Tynt person said they were working on it. Still, very annoying at times.
[ link to this | view in thread ]
Re: Firefox/IE - Disable
[ link to this | view in thread ]
Re: NoScript is
Sure, I allow techdirt. Google syndication I don't really need; it's just ads. Google-analytics is an absolute nono ... that's the click and mouse tracking junk.
I've got all my trusted sites allowed and everything else blocked by default.
It's really not that hard to train a new user to understand it. You teach them to first allow only temporarily the domain they are visiting, and if every thing seems ok, you allow it permanently.
If they accidentally allow all on the page, its not worse than browsing without it.
If they are too stupid to right click an icon and permit scripts, get off my computer and go home.
[ link to this | view in thread ]
Re: Just get GreasMonkey
[ link to this | view in thread ]
Assumptions
I just wanted to chime in to say that we respect how users feel about our product and their clipboards. We're upfront about the opt-out feature - it's on our homepage.
I'd like to correct the assumptions. We're not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.
We're sorry it seems creepy on the surface. That's not the intent, nor do I believe it to be the reality. Again, for those that don't want their anonymous data collected, they can opt-out - in the same way that you can from ad networks.
As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber's opinion that proper "web etiquette" dictates that we should (and are?) linking back already. That's not emblematic of the typical internet user (Did you see Danny Sullivan's piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.
Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.
As for security, we take that very seriously. We're listening and taking note.
Thanks,
Jim Hirshfield
VP of Business Development
Tynt Multimedia
[ link to this | view in thread ]
Re: Assumptions
True, I opt out of both in the same way: not letting them onto my computer in the first place. ;-)
[ link to this | view in thread ]
Re: Assumptions
Oh come on. The vast majority of people this effects will NEVER see YOUR home page. I've seen this "feature" on tons of sites, and none of them mention Tynt. Most people have no idea it's your company doing this.
I'd like to correct the assumptions. We're not in the business of policing copyright or recording personal identifiable information. We are a social media service that lets publishers benefit from the simplest form of sharing: copy/paste.
By breaking copy/paste?
We're sorry it seems creepy on the surface. That's not the intent, nor do I believe it to be the reality. Again, for those that don't want their anonymous data collected, they can opt-out - in the same way that you can from ad networks.
Again, only if they know about you, but none of the sites using your thing make that clear.
As for whether users leave the attribution link in place, many do. Millions per month. I can understand Gruber's opinion that proper "web etiquette" dictates that we should (and are?) linking back already. That's not emblematic of the typical internet user (Did you see Danny Sullivan's piece on how his post was ripped off without attribution?), especially when sharing copied text via email. 70% of sharing happens via email where users are much less inclined to post a backlink.
First of all, Danny's thing was TOTALLY different. That was not a case of copy/pasting at all, but the press rewriting his article. That's a total apples and oranges situation.
And, I'm sorry, but that's ridiculous to think that most people don't link back.
Outside of email, the links are also left in place to a dramatic degree. These are SEO-friendly links and some publishers are seeing the results that 1000s of new links/month bring them.
Yeah, you're picking up SEO from spammers by annoying all people who expect copy and paste to work as it should.
What you're doing is not a good thing.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Browser flaw being abused
This wouldnt be anywhere near the first time a "feature" in javascript was abused horribly to break basic funcionality. Who ever thought letting web pages resized and move your browser window was a good idea? Or replacing status bar text (a HUGE security flaw).
I would much rather "approve" extended JS functionality on the few sites that legitimately use it, rather than have everything default to on. Just like Flash doesn't leave your webcam wide open to every page you visit.
You better believe Tynt and companies like them would be snapping pictures of you with your own webcam if Flash or Javascript let them - it's up to the web browsers to vigilantly protect us from this sort of abuse, and remove these features once companies or hackers find a way to abuse them.
[ link to this | view in thread ]
What Tynt should have done
[ link to this | view in thread ]
Re: Re: Firefox/IE - Disable
[ link to this | view in thread ]
Re:
Now, should there be some things that scripts aren't allowed to do? Hell yes, and Mozilla and others are realizing that and BLOCKING those behaviors today.
[ link to this | view in thread ]
Re: Re: Not that much work....
[ link to this | view in thread ]
Sure you are worm
You and your kind need to be in jail for this sort of behavior on the internet. They stick script kiddies in jail all the time for much less; yet somehow scourge like you seem to be able to avoid wearing a prison number. I wonder why that is Mr Hirshfield?
Only difference between scum like you and hackers is that you somehow manage to get a business license to do your money changing. And for the most part hacker have a sense of ethics to the computer world.
The BS line of people can "opt-out," doesn't wash. End users didn't even know who pond scum like you were until we went looking to figure out who hijacked our clipboards.
One day, you and people like you will stand judgement.
It is my wish you, and parasites like you bear the full brunt of that judgement when it comes.
Have a nice day...
[ link to this | view in thread ]
Write your own material.
Write your own material!!!
[ link to this | view in thread ]
Re: Write your own material.
You're right, this site is terrible. You should not visit it again. Find someplace more original, and post your comments there.
[ link to this | view in thread ]