Clipboard being taken over through website

Question

Clipboard being taken over through website

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

http://windowsxp-privacy.net/?id=198760083

And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

I'm only going to websites that are directly linked off the main page of digg.com, so they're not obscure, and I'm surfing in firefox, though the system wide clipboard is getting taken over, so I can't even copy something over that from a program like TextEdit.

I'm wondering if this has been happening to anyone else and if you you've found a way to take back the clipboard without rebooting.

8-Core PowerMac, iMac, Mac OS X (10.5.4)

Posted on Jul 30, 2008 12:03 PM

Reply

Answer 1

orangekay

Level 5

4,085 points

Aug 19, 2008 9:23 AM in response to Andrew Sinclair1

That URL triggers a series of redirects, first going to

http://mytube4.com/soft.php?aid=024209&d=3&product=XPA

and then to

http://internetscanner2009.com/2009/1/freescan.php?aid=77024209

freescan.php calls

window.open('_freescan.php?aid=77024209', '_self');

which delivers the obfuscated JavaScript payload. This page references the files


http://internetscanner2009.com/2009/1/fileslist.js
http://internetscanner2009.com/2009/1/progressbar2.js
http://internetscanner2009.com/2009/1/common.js

If you attempt to download whatever they're offering it sends you

http://internetscanner2009.com/2009/download/trial/AV2009Install_77024209.exe

which should not do anything on a Mac. I can't find any evidence of JavaScript being able to manipulate the clipboard through Safari, though it is apparently possible in IE and Firefox. Are any of the people complaining of this problem using Safari exclusively?

Reply

Answer 2

badb0y

Level 1

0 points

Aug 19, 2008 10:22 AM in response to Andrew Sinclair1

Hi guys,

I think this will help explain what's going on.... http://preview.tinyurl.com/5tcl8b

Good day.

Reply

Answer 3

orangekay

Level 5

4,085 points

Aug 19, 2008 10:32 AM in response to Andrew Sinclair1

Well now I feel even better about refusing to run with Flash installed. Just wait until somebody does this with a PDF crafted in Acrobat 9.

Reply

Answer 4

CT

Level 7

23,987 points

Aug 19, 2008 12:22 PM in response to orangekay

I know this is a little off topic, but could somebody explain why Flash was ever allowed access to the clipboard in the first place? What is the (legitimate) purpose of this?

Also: it seems like people reporting this always are using Firefox. Presumably the vulnerability (Flash access to clipboard) is universal, i.e., allowed by all properly function browsers with Flash enabled?

Thanks for insights.

charlie

Reply

Answer 5

orangekay

Level 5

4,085 points

Aug 19, 2008 12:44 PM in response to CT

Adobe wants to turn Flash into an operating system which they can embed into every product they sell.

Reply

Answer 6

STWriter

Level 1

5 points

Aug 19, 2008 2:25 PM in response to CT

Yes, the article I reference a couple posts earlier states Windows & MAC/Firefox affected.

When I ran Windows, I could usually find the file where things like this problem are stored, and could manually delete them. Anyone know the directory for this stuff on a Mac?

Reply

Answer 7

orangekay

Level 5

4,085 points

Aug 19, 2008 3:21 PM in response to STWriter

What file are you talking about?

Reply

Answer 8

Aug 20, 2008 12:57 AM in response to Andrew Sinclair1

After seeing your post quoted in a Computerworld article, I went to the website whose link you have published, and absolutely nothing happens to the clipboard. I have tried with three different browsers. I don't see how this could do anything to your clipboard, and I think that there's some confusion going on. You're describing - in detail - something that happens on Windows, but you're saying it's happening to your Mac. Others in this thread are saying it's not happening, and find no code on the page that could be doing what you suggest. It makes me wonder if you're serious about what you're saying...

Reply

Answer 9

Aug 20, 2008 5:45 AM in response to CT

I think that you are indeed exactly on topic!
I am not terrible savvy on Mac OS X but I think the following is true.
Any running application (and Flash is an application) can read or write the clipboard at any time.
If you put a password on a clipboard, some program that has arranged to still be running can make a copy of it and presumably send it out of your computer in a UDP packet.
It is not clear what the rules should be for allowing access to the clipboard.
Perhaps only programs 'associated' with the window with focus.

Reply

Answer 10

STWriter

Level 1

5 points

Aug 20, 2008 9:55 AM in response to orangekay

Somewhere on the hard drive is a file holding the contents of the clipboard. Just as there is a HOSTS file with DNS info, and drivers, etc. Using TERMINAL and UNIX commands you can open and modify the files -- maybe it can be deleted that way, if you don't want to re-boot.

Reply

Answer 11

orangekay

Level 5

4,085 points

Aug 20, 2008 10:07 AM in response to STWriter

The clipboard is maintained in memory and anything that is placed on it can be loaded lazily if and when it's actually needed to conserve resources. This is how you are able to copy and past gigantic images in Photoshop without bogging the entire OS down.

There is absolutely no reason why you should have to reboot to kill a Flash ad--just quit the browser and it's gone.

I don't think there are very many Mac users posting in this thread at all.

Reply

Answer 12

orangekay

Level 5

4,085 points

Aug 20, 2008 10:33 AM in response to OldHacker

OldHacker wrote:
Any running application (and Flash is an application) can read or write the clipboard at any time.

Flash is not an application in this case, it's a plugin running within a host application's execution context.

Reply

Answer 13

Aug 20, 2008 11:03 AM in response to STWriter

Realist1953 wrote:
Somewhere on the hard drive is a file holding the contents of the clipboard.

That is complete nonsense. The clipboard is not stored in a file. Plus, it doesn't solve the problem. There is nothing "weird" in your clipboard; the problem is that the Flassh applet, while running, is constantly "updating" your clipboard with that malicious URL. So if you copy something else, it gets overwritten soon after.

Solution: Quit (not close - Quit!) all browsers. That's all.

Sidenote: The concept of a Flash applet having access to my clipboard is just ridiculous.

Reply

Answer 14

biovizier

Level 5

7,925 points

Aug 20, 2008 11:51 AM in response to Kirk McElhearn

Have you tried this demo?
http://raffon.net/research/flash/cb/test.html

It was still working as of today (Aug 20) on my 10.5.4 ppc / Safari Version 3.1.2 (5525.20.1) / Flash Player 9.0.124.0.

Edit: I should mention that as others have posted already, quitting running browsers is enough to get use of the clipboard back, at least on my system.

Reply

Answer 15

Aug 20, 2008 1:43 PM in response to Andrew Sinclair1

So, this forum got as far as being mentioned on slashdot and zdnet (http://it.slashdot.org/it/08/08/20/0029220.shtml , http://blogs.zdnet.com/security/?p=1733), so I think it's fair to call this resolved: some ******* is using flash entirely inappropriately. What a surprise...

Reply