Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Ads Launching Clipboard Hijack Attacks

Posted by kdawson on from the poisoning-the-ad-pool dept.

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

14 of 353 comments (clear)

  1. Yes, its annoying by QuantumG · · Score: 2, Interesting

    But I fail to see how you can leverage this to gain privs.

    If that's possible, then maybe that should be the subject of the article.

    --
    How we know is more important than what we know.
    1. Re:Yes, its annoying by slashqwerty · · Score: 4, Interesting

      But I fail to see how you can leverage this to gain privs.

      I suppose it would be possible to populate the clipboard with corrupted contents, perhaps a string of XML that another app would try to consume. If that other app, designed strictly for desktop use, has a vulnerability in the way it processes said XML an attacker may be able to gain privileges. It's possible such an app will examine the clipboard contents just to determine if it should enable the Paste menu. Which means you could be vulnerable even though you never paste from the clipboard.

    2. Re:Yes, its annoying by x2A · · Score: 2, Interesting

      You can't figure out a simple solution? Like, have the banner ad companies screen for flash commands that shouldn't be needed for simple ads, like setClipboard?

      Even if I don't paste the url into my browser and run whatever's on that webpage, I don't want something wiping whatever I have in the clipboard at the time... which would be why I have 'allow clipboard access' disabled in my browser javascript settings, I'd be very annoyed if sites are pushing ads that sneak around this, and if I was employing these companies to provide ads for my sites, I'd be annoyed with them for annoying my users in such a way. After all, I'm entrusting space on my pages to them. These companies should be doing better, now it's known about, they need to implement something to stop it from happening, whether people are going to the website and running stuff or not.

      (And yes there's options for blocking ads, but they're paying for what I'm using. If I don't like the number of ads I don't visit the site, cuz that's the deal as I see it... content for the ads)

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    3. Re:Yes, its annoying by ZorbaTHut · · Score: 2, Interesting

      Some P2P clients support a "pull links directly from clipboard" feature, where they watch the clipboard for any link with the format they use and automatically download what it's pointing to.

      The danger in this - both the parsing, and the downloading - is obvious. I don't believe any clients run downloaded things by default, but it's still potentially quite nasty.

      --
      Breaking Into the Industry - A development log about starting a game studio.
  2. Re:Hard to remove? by INeededALogin · · Score: 4, Interesting

    I closed the demo window

    The average user is not going to know that they have been hijacked and they won't necessarily know which window is doing it. The clipboard hijacker could even wait until you copy a url before modifying it.

  3. Barely works in ubuntu by Anonymous Coward · · Score: 1, Interesting

    I'm running Ubuntu 8.10 and Firefox 3.0, and while the attack does paste text onto the clipboard, all I need to do to copy new text over it is close the offending tab. Based on comments I read from mac and windows users it seems like linux is the least affected by this 'attack'

  4. Re:flashblock by FictionPimp · · Score: 4, Interesting

    I have talked quite a few companies out of using flash while consulting for them. I have used many legitimate reasons. Accessibility for the disabled, backwards compatibility, not using a business model dependent on a 3rd parties proprietary software, and the general annoyance of most users when they encounter a flash based website. I have found that a nice clean site developed with good web standards can do 99% of what most people want to do with flash. It will fail better on older browsers, it will load faster (in most cases), and it will be more usable by the customer with the least amount of work (larger fonts, screen readers, alternate color schemes, opening windows in new tabs, bookmarking, etc).

    IMHO, companies that choose to use flash do so because they don't have the resources to see there are better choices AND they already know flash.

  5. Just a loop by Twillerror · · Score: 4, Interesting

    Okay so the flash ad just copies something to the clipboard in a loop. Closing the tab or browser stops this. I suppose if you are running your browser in the background this would be very annoying and you wouldn't know.

    Today firefox and IE prompt if you want to use the clipboard from javascript, but it used to not be this way. I'm sure Adobe will patch this soon enough.

    This is like old popups...and oversight that is being exploited by the annoying "internet bully". It's like getting a wet willing or you head stuffed in a toilet.

    The issue is here that both Flash and the underlying operating system don't have any kind of cut and paste protection. X, Mac OS X, and XP/Vista should not allow a program to copy and paste the same dam string to the clipboard over and over. Really kind of annoying that we have to spend so many human hours fixing "problems" like this...but such is life I suppose.

  6. Flashblock doesn't work here by Anonymous Coward · · Score: 2, Interesting

    I am visiting the test site using Firefox with Flashblock on Ubuntu 8.04. I press Ctrl+V, and there it is, http://www.evil.com.

    This only happens sporadically, though, and I can always just Ctrl+C something else. I believe this is because Flashblock blocks ads as they are loaded, not before they load (not 100% sure about this).

    Does anybody else have this issue?

  7. Re:flashblock by FictionPimp · · Score: 3, Interesting

    I've seen good flash work. For example there was a drum kit builder I ran across where you could select drums, change colors, locations, etc. It was done really well and would of been a messy project to do with javascript. Another great example might be a 3d view of a car that lets you adjust options via a menu system.

    I'm also a fan of flash games. It lowers the level of entry for game writers and performs well. However, most of the flash people want to do seems to be in places where it simply does not belong. For example site navigation, or content.

    I remember trying to look up local car dealerships in my area to buy a new car. I couldn't stand how every site needed to pre-load, play music (with no option to turn off) and animate with sound every single content switch. I just wanted to look at what was on their lot, I wanted to open up the items I was interested in on separate tabs so I could compare them. The experience was so horrible I ended up just visiting the dealers (of course maybe that was their idea....)

  8. Same Ol' Same Ol' by MightyMartian · · Score: 2, Interesting

    Once again we see the serious consequences of allowing a single company to serve a proprietary solution which opens up browsers and the platforms they run on to serious security flaws. This is ActiveX Part Deux, or perhaps Son of ActiveX.

    To some extent I blame the guys writing the browsers. They're the ones letting plugins and extensions to have this much control over clipboards. The solution here is obvious, though Adobe may not like it, but at this point I think Adobe's concerns shouldn't even enter the equation.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  9. Re:flashblock by Anonymous Coward · · Score: 1, Interesting

    in windows, use runas (from a command prompt for context menu).

    a nice feature of runas is that you don't need to bother with --no-remote -P.

    note that generally X11 sessions can communicate with eachother even if they aren't the same user.
    At least, when I do ssh -X myuser@something from a coworker's computer, I need to do firefox --no-remote -P
    otherwise my firefox will just talk to his firefox.

  10. Re:Clicked on the flash area in NoScript in the de by Serious+Callers+Only · · Score: 2, Interesting

    Well, there's also video cam support - it is supposed to ask your permission first, but perhaps there are unexplored features/vulnerabilities in it too :

    http://www.macromedia.com/support/documentation/en/flashplayer/help/help04.html#117089

    If I was a hacker^^^^^^security researcher, I'd be looking there first.

    One of the reasons why I surf with Flash off.

  11. Re:How to fix this: by swb · · Score: 2, Interesting

    I second this, but I would only permanently whitelist sites you absolutely need to out of convenience or trust; everything else I temporarily whitelist on an as-needed basis, and I find that unless I'm shopping or something there are number of sites I don't need javscript to run for basic use. I figure with SQL injection attacks and other random maliciousness, even "trusted" web sites can be compromised and this keeps my exposure to a minimum.

    The only feature I wish it had, though, was some kind of per-tab or per-site whitelist inheritance. Some sites, like Newegg, use Akamai for shopping cart processing. Allowing Newegg doesn't in turn allow URLs for Akamai, which I understand, but it means I have to wait until the checkout blows up, THEN temporarily allow Akamai to finish a purchase.

    If there was some other way to "Temporarily allow all referred linked from foo.com" or "Allow all as long as address bar is foo.com" or something that would allow other sites' javascript to run, so long as I "stayed" on the page I was on.