BACKGROUND

1) Web pages are permitted to read the system clipboard in certain cases, as specified in the W3C clipboard API working draft: https://w3c.github.io/clipboard-apis/#allow-read-clipboard. In particular, web pages are only permitted to read from the clipboard if given explicit permission by the user, or if the paste action is triggered through the user agent's own interface (e.g. using the browser's Edit menu or the Cmd+V keyboard shortcut)

2) Chrome makes an exception to this rule specifically for Google Docs. Google Docs has its own menu system in the page with a paste option that is permitted to read from the system clipboard. This only works on Chrome -- in Firefox, for example, trying to use that menu item pops up a dialog box instructing the user to use the keyboard shortcut (so that the page will have clipboard access, as discussed above).

3) Google docs does not set the X-Frame-Options header to prevent clickjacking attacks for publicly-editable google docs.



VULNERABILITY DETAILS

The exploit is a simple clickjacking attack: a publicly-editable Google spreadsheet is embedded within a page that obscures the Google sheets UI and overlays a UI that tricks the user into clicking the "paste" option in Google sheets. Once the user has done this, they have unknowingly pasted the contents of their clipboard into the publicly-editable Google doc, where the attacker can then retrieve it. 

The impact of this bug is that a malicious website can quietly capture the contents of the user's clipboard by getting the user to perform a few reasonable-looking clicks. The clipboard might contain a password from a password manager or other highly-sensitive data. The user is unlikely to realize that they have been exploited.


VERSION

I suspect this affects all recent versions of Chrome across all operating system, but I have tested my reproduction on:

Chrome Version: 58.0.3029.110 stable
Operating System: MacOS Sierra 10.12.5


REPRODUCTION CASE

I have attached an HTML file that reproduces the bug and provides a realistic example of a clickjacking attack. It talks to a small AWS lambda function that fetches the pasted text and then clears the spreadsheet cell. The code for that lambda function is included in a comment in this attached HTML file (included for completeness, but it's not particularly relevant to the exploit).


SUGGESTED REMEDIATION

The special exception for docs.google.com should not apply when docs.google.com is embedded within an iframe. I was not able to find the relevant code within Chrome, but I'm happy to create a patch to solve this issue if someone could give me a pointer to the relevant part of the code.

Alternatively, the code for Google Docs itself could perform this check and not use its elevated privileges when it's embedded in an iFrame.
 

Deleted: index.html 3.3 KB

index.html 3.3 KB View Download