Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Ads Launching Clipboard Hijack Attacks

Posted by kdawson on from the poisoning-the-ad-pool dept.

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

24 of 353 comments (clear)

  1. what sort of flash? by Anonymous Coward · · Score: 5, Funny

    "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards..."

    booby flash?

  2. flashblock by owlnation · · Score: 5, Informative

    as though we really need yet another reason to use flashblock...

    This one small piece of technology has made browsing the web bearable again. I can't ever thank its developers enough.

    1. Re:flashblock by enoz · · Score: 4, Informative

      You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

    2. Re:flashblock by smittyoneeach · · Score: 4, Funny

      This is /., where over-engineering would be considered a virtue if laziness hadn't won out.

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    3. Re:flashblock by FictionPimp · · Score: 4, Interesting

      I have talked quite a few companies out of using flash while consulting for them. I have used many legitimate reasons. Accessibility for the disabled, backwards compatibility, not using a business model dependent on a 3rd parties proprietary software, and the general annoyance of most users when they encounter a flash based website. I have found that a nice clean site developed with good web standards can do 99% of what most people want to do with flash. It will fail better on older browsers, it will load faster (in most cases), and it will be more usable by the customer with the least amount of work (larger fonts, screen readers, alternate color schemes, opening windows in new tabs, bookmarking, etc).

      IMHO, companies that choose to use flash do so because they don't have the resources to see there are better choices AND they already know flash.

    4. Re:flashblock by JayGuerette · · Score: 4, Informative

      But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

      Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session.

      Yes, you are completely wrong. My wife and I have discrete Firefox profiles on one computer, and often have 2 browser windows open, one on each profile. She has her own plugins, preferences, bookmarks, & history; and I have mine. Use the profile manager to create the profiles, add "-no-remote -p profilename" to a shortcut, and you're good to go. There was a plugin for FF2 called FireTitle, that allowed us to put our profile names in the window title, but alas it's not been updated for FF3.

  3. confirmed on mac os x 10.5.4 by v1 · · Score: 4, Informative

    it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

    The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

    --
    I work for the Department of Redundancy Department.
    1. Re:confirmed on mac os x 10.5.4 by ScentCone · · Score: 5, Funny

      confirmed on mac os x 10.5.4

      I'm sorry, but you're using a Mac and anything like this is completely impossible. Why do you hate Mac users, that you would say such a disturbing thing? You are mean.

      --
      Don't disappoint your bird dog. Go to the range.
    2. Re:confirmed on mac os x 10.5.4 by Mr.+Marabou+Man · · Score: 5, Informative

      Yeah ? Interesting. On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away. YMMV, obviously.

  4. Write Filter = Best Antivirus by Z34107 · · Score: 4, Informative

    Good thing my laptop runs EWF drivers. Any changes made to the C volume (a solid state drive) made in memory instead. Everything works like you'd expect it to - delete a file and it's gone - until you reboot, that is, and all of your in-memory changes are discarded.

    I'd like to see XP Antivirus Pro 2008 thoroughly embed its tendrils... and then survive a restart. No changes are committed unless I manually force it.

    Considering that Circuit City will sell you a PC with 6 GB of RAM for $999, I wonder why EWF isn't a standard feature. Probably because somebody would forget that defragging your hard disk would exhaust available RAM and then die, or wonder where that program they just installed went after they rebooted...

    Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

    --
    DATABASE WOW WOW
  5. Shockwave... by azav · · Score: 4, Informative

    I'll bet you can do it too in Shockwave with copyToClipboard. It is a little trickier though as copytoClipboard holds the reference to the Director member copied IIRC. Thinking about it, any web service that supports the clipboard should be able to do this.

    --
    - Zav - Imagine a Beowulf cluster of insensitive clods...
  6. How to fix this: by MrMista_B · · Score: 4, Informative

    http://adblockplus.org/en/

    Problem solved!

    Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

    1. Re:How to fix this: by AceofSpades19 · · Score: 5, Funny

      You have problems....

  7. Re:Yes, its annoying by QuantumG · · Score: 4, Insightful

    Umm.. yeah, and then you'll say "sure, install this program I didn't even ask to install". If that's something to be worried about then no amount of "security" is going to protect these people.

    --
    How we know is more important than what we know.
  8. Lame results with Linux by keeboo · · Score: 5, Informative

    Well I accessed the page under Linux and Firefox 2 and the following things happened:

    The middle mouse button pastes as usual.
    The hijacked content only appeared with CTRL-V.

    All I need to do is to close the page tab and it's gone.

    Disappointing.

  9. Re:Yes, its annoying by slashqwerty · · Score: 4, Interesting

    But I fail to see how you can leverage this to gain privs.

    I suppose it would be possible to populate the clipboard with corrupted contents, perhaps a string of XML that another app would try to consume. If that other app, designed strictly for desktop use, has a vulnerability in the way it processes said XML an attacker may be able to gain privileges. It's possible such an app will examine the clipboard contents just to determine if it should enable the Paste menu. Which means you could be vulnerable even though you never paste from the clipboard.

  10. Not affected it seems ... by YeeHaW_Jelte · · Score: 4, Informative

    ... on this old system with SuSE 9.1, FF 2.0.014, flash 7.

    Hoorah for lazy upgrading ;)

    --

    ---
    "The chances of a demonic possession spreading are remote -- relax."
  11. Re:Hard to remove? by INeededALogin · · Score: 4, Interesting

    I closed the demo window

    The average user is not going to know that they have been hijacked and they won't necessarily know which window is doing it. The clipboard hijacker could even wait until you copy a url before modifying it.

  12. Re:What about Opera? by hellwig · · Score: 4, Informative

    Tried with Opera 9.51 on gOs/Ubuntu 7.10 and it did copy the url to my clipboard which I was unable to replace (with ctrl+c) until I closed the tab. After closure, I regained control of my clipboard.

    I tried using a user javascript file that would block all flash content and allow me to individually activate the various flash files, but I had problems with things like YouTube, and eventually I abandoned it when certain websites I frequented used Flash for the most obsurd reasons (don't remember which, this was over a year ago). Might be worthwhile to bring it back.

    --
    Eggs
    Milk
    Bread
    Cat Litter
    Soda
    ...
  13. Whew. by rascher · · Score: 4, Funny

    Its about time they start making software that runs on Linux too.

  14. Just a loop by Twillerror · · Score: 4, Interesting

    Okay so the flash ad just copies something to the clipboard in a loop. Closing the tab or browser stops this. I suppose if you are running your browser in the background this would be very annoying and you wouldn't know.

    Today firefox and IE prompt if you want to use the clipboard from javascript, but it used to not be this way. I'm sure Adobe will patch this soon enough.

    This is like old popups...and oversight that is being exploited by the annoying "internet bully". It's like getting a wet willing or you head stuffed in a toilet.

    The issue is here that both Flash and the underlying operating system don't have any kind of cut and paste protection. X, Mac OS X, and XP/Vista should not allow a program to copy and paste the same dam string to the clipboard over and over. Really kind of annoying that we have to spend so many human hours fixing "problems" like this...but such is life I suppose.

  15. Re:Yes, its annoying by jesser · · Score: 4, Insightful

    But I fail to see how you can leverage this to gain privs.

    1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.

    2. Hope someone will paste into a Terminal window while your evil page is open.

    I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.

    --
    The shareholder is always right.
  16. Re:Clicked on the flash area in NoScript in the de by Hurricane78 · · Score: 5, Insightful

    > When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

    This maybe is true, except if you want to do a real web application. Loading a whole HTML-page, just to change some state of an (non-form-element) interface element... That's insanity.
    You've done the same that someone in a trauma does. You're created false associations. It's not the technology or even the virtual machine that's bad. It's the implementation.
    Your argument is the same, as if someone who had only bad experiences with x86, while having good ones with his old 86000s, argues that "if an application requires x86, then that application is never again used."
    The same is true for OSes. Someone could implement Windows XP in a proper manner, and make it a very safe system. (I did not say that someone would want, tough ;)

    Or in short:
    Someone can crack a bad JavaScript VM and contaminate the rest of the system. And someone could crack a bad OS, and contaminate the rest of the system. There are even examples for this on virtualization VMs. (Heck, the system's clipboard is accessible to all 3 of them, on modern VMs!)

    So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)

    Okay, I think one should remove at least one layer of abstraction/VM and harden the OS so that even OpenGL on JavaScript would not have a performance loss. (Yes, this would be useful. Eg. for quick dynamic data visualization or entertainment applications.)

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
  17. Re:Clicked on the flash area in NoScript in the de by negRo_slim · · Score: 4, Funny

    I often hear people on Slashdot claiming that Flash is safe

    Well sir you must view /. at a much lower threshold then I do!

    --
    On the Oregon Cost born and raised, On the beach is where I spent most of my days