Skip navigation
This discussion is archived

Clipboard being taken over through website

27502 Views 40 Replies Latest reply: Sep 26, 2008 9:53 AM by rwire326 RSS
  • STWriter Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 19, 2008 8:07 AM (in response to Andrew Sinclair1)
    Check this article

    http://news.bbc.co.uk/2/hi/technology/7567889.stm

    This site tells about the hijacking of the clipboard. I clicked on a link in a known-sourced email {reunion.com} and it went to "theregister" and "ran" their virus check even though I tried to select cancel.

    Can anyone tell me where the SOURCE PAGE or FILE for the clipboard is on the MAC?? I want to see where it is physically on the PC. And I will check the html source on the page that takes me there to try to find the offending link. And WHY is it "hard to delete"??

    So far, when this pops up on my PC, I have had to open "Activity Monitor", select FireFox, and do a "Force Quit" to stop the thing. Though I suspect the thing was still there -- I typed in the link [reunion.com] in the address bar and it still went to the fake site. THAT makes me think they may have taken over the DNS site --- though maybe Firefox / PC used a local copy of the addresses instead of flushing & going to a real DNS web server.
    Macbook, Mac OS X (10.5.4), Firefox
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 19, 2008 9:23 AM (in response to Andrew Sinclair1)
    That URL triggers a series of redirects, first going to

    http://mytube4.com/soft.php?aid=024209&d=3&product=XPA


    and then to

    http://internetscanner2009.com/2009/1/freescan.php?aid=77024209


    freescan.php calls

    window.open('_freescan.php?aid=77024209', '_self');


    which delivers the obfuscated JavaScript payload. This page references the files


    http://internetscanner2009.com/2009/1/fileslist.js
    http://internetscanner2009.com/2009/1/progressbar2.js
    http://internetscanner2009.com/2009/1/common.js


    If you attempt to download whatever they're offering it sends you

    http://internetscanner2009.com/2009/download/trial/AV2009Install_77024209.exe


    which should not do anything on a Mac. I can't find any evidence of JavaScript being able to manipulate the clipboard through Safari, though it is apparently possible in IE and Firefox. Are any of the people complaining of this problem using Safari exclusively?
    Several, Mac OS X (10.5.2)
  • badb0y Calculating status...
    Currently Being Moderated
    Aug 19, 2008 10:22 AM (in response to Andrew Sinclair1)
    Hi guys,

    I think this will help explain what's going on.... http://preview.tinyurl.com/5tcl8b

    Good day.
    Mac OS X (10.4.10)
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 19, 2008 10:32 AM (in response to Andrew Sinclair1)
    Well now I feel even better about refusing to run with Flash installed. Just wait until somebody does this with a PDF crafted in Acrobat 9.
    Several, Mac OS X (10.5.2)
  • CT Level 6 Level 6 (15,035 points)
    Currently Being Moderated
    Aug 19, 2008 12:22 PM (in response to orangekay)
    I know this is a little off topic, but could somebody explain why Flash was ever allowed access to the clipboard in the first place? What is the (legitimate) purpose of this?

    Also: it seems like people reporting this always are using Firefox. Presumably the vulnerability (Flash access to clipboard) is universal, i.e., allowed by all properly function browsers with Flash enabled?

    Thanks for insights.

    charlie
    Mac OS X (10.5.4)
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 19, 2008 12:44 PM (in response to CT)
    Adobe wants to turn Flash into an operating system which they can embed into every product they sell.
    Several, Mac OS X (10.5.2)
  • STWriter Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 19, 2008 2:25 PM (in response to CT)
    Yes, the article I reference a couple posts earlier states Windows & MAC/Firefox affected.

    When I ran Windows, I could usually find the file where things like this problem are stored, and could manually delete them. Anyone know the directory for this stuff on a Mac?
    Macbook, Mac OS X (10.5.4)
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 19, 2008 3:21 PM (in response to STWriter)
    What file are you talking about?
    Several, Mac OS X (10.5.2)
  • Kirk McElhearn Level 2 Level 2 (155 points)
    Currently Being Moderated
    Aug 20, 2008 12:57 AM (in response to Andrew Sinclair1)
    After seeing your post quoted in a Computerworld article, I went to the website whose link you have published, and absolutely nothing happens to the clipboard. I have tried with three different browsers. I don't see how this could do anything to your clipboard, and I think that there's some confusion going on. You're describing - in detail - something that happens on Windows, but you're saying it's happening to your Mac. Others in this thread are saying it's not happening, and find no code on the page that could be doing what you suggest. It makes me wonder if you're serious about what you're saying...
  • OldHacker Calculating status...
    Currently Being Moderated
    Aug 20, 2008 5:45 AM (in response to CT)
    I think that you are indeed exactly on topic!
    I am not terrible savvy on Mac OS X but I think the following is true.
    Any running application (and Flash is an application) can read or write the clipboard at any time.
    If you put a password on a clipboard, some program that has arranged to still be running can make a copy of it and presumably send it out of your computer in a UDP packet.
    It is not clear what the rules should be for allowing access to the clipboard.
    Perhaps only programs 'associated' with the window with focus.
    MacBook, Mac OS X (10.5.4), 2GB
  • STWriter Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 20, 2008 9:55 AM (in response to orangekay)
    Somewhere on the hard drive is a file holding the contents of the clipboard. Just as there is a HOSTS file with DNS info, and drivers, etc. Using TERMINAL and UNIX commands you can open and modify the files -- maybe it can be deleted that way, if you don't want to re-boot.
    Macbook, Mac OS X (10.5.4)
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 20, 2008 10:07 AM (in response to STWriter)
    The clipboard is maintained in memory and anything that is placed on it can be loaded lazily if and when it's actually needed to conserve resources. This is how you are able to copy and past gigantic images in Photoshop without bogging the entire OS down.

    There is absolutely no reason why you should have to reboot to kill a Flash ad--just quit the browser and it's gone.

    I don't think there are very many Mac users posting in this thread at all.
    Several, Mac OS X (10.5.2)
  • orangekay Level 5 Level 5 (4,085 points)
    Currently Being Moderated
    Aug 20, 2008 10:33 AM (in response to OldHacker)
    OldHacker wrote:
    Any running application (and Flash is an application) can read or write the clipboard at any time.


    Flash is not an application in this case, it's a plugin running within a host application's execution context.
    Several, Mac OS X (10.5.2)
  • fbitterlich Calculating status...
    Currently Being Moderated
    Aug 20, 2008 11:03 AM (in response to STWriter)
    Realist1953 wrote:
    Somewhere on the hard drive is a file holding the contents of the clipboard.


    That is complete nonsense. The clipboard is not stored in a file. Plus, it doesn't solve the problem. There is nothing "weird" in your clipboard; the problem is that the Flassh applet, while running, is constantly "updating" your clipboard with that malicious URL. So if you copy something else, it gets overwritten soon after.

    Solution: Quit (not close - Quit!) all browsers. That's all.

    Sidenote: The concept of a Flash applet having access to my clipboard is just ridiculous.
    iMac 24", Mac OS X (10.5.4)
  • biovizier Level 5 Level 5 (7,925 points)
    Currently Being Moderated
    Aug 20, 2008 11:51 AM (in response to Kirk McElhearn)
    Have you tried this demo?
    http://raffon.net/research/flash/cb/test.html

    It was still working as of today (Aug 20) on my 10.5.4 ppc / Safari Version 3.1.2 (5525.20.1) / Flash Player 9.0.124.0.

    Edit: I should mention that as others have posted already, quitting running browsers is enough to get use of the clipboard back, at least on my system.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.