Messing With Copy/Paste Could Present Security Issues
from the just-let-copy-and-paste-work dept
John Gruber recently highlighted one of the more annoying things I've seen on multiple news websites lately: attempts to muck with basic copy & paste features. I've noticed it on Wired.com and SFGate.com among others. Gruber points out that it's also happening on TechCrunch and The New Yorker's website. From a user's standpoint, what happens is that when you copy some text, and then paste it somewhere else, through some javascript shenanigans, it appends a bit of extra text that you did not copy, usually saying something like "read more:" with a URL linking back to the original story.As someone who does a fair bit of copying and pasting in writing this blog, I agree with Gruber that this is a bit of a nuisance. It's not a hugely annoying thing, but it is annoying. If I'm copying and pasting from your website, I know what your website is, and I am already planning to link back to it. Adding that superfluous text is just annoying and basically forcing my computer to do something I did not ask it to do.
Gruber tracked down the source of this annoyance: a company called Tynt, that not only enables this functionality for a bunch of sites that probably don't realize how annoying it is, but also tracks what you copy by sending that info back to its server. That's a bit creepy, frankly. Of course, since it's javascript, it's easy enough to block for those who know how to do that sort of thing. Still, Gruber's analysis of this makes sense:
It's a bunch of user-hostile SEO bullshit.However, it may be even worse than that. Michael Scott points us to another analysis of this same issue, by Lance Cottrell, which highlights how this breaking the basic copy/paste functionality may be a security risk as well:
Everyone knows how copy and paste works. You select text. You copy. When you paste, what you get is exactly what you selected. The core product of the "copy/paste company" is a service that breaks copy and paste.
The pitch from Tynt to publishers is that their clipboard jiggery-pokery allows publishers to track where text copied from their website is being used, on the assumption that whoever is pasting the text is leaving the Tynt-inserted attribution URL, with its gibberish-looking tracking ID. This is, I believe, a dubious assumption. Who, when they paste such text and find this "Read more:" attribution line appended, doesn't just delete it (and wonder how it got there)?
Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.Bad things happen when you break basic functionality to shove in fun marketing tricks and spy tactics.
I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.