Clipboard hijack

**stevesmithx** · 11-03-2008

DISCLAIMER:
The following link hijacks your clipboard.However you can change the content of the clipboard by closing the page.

http://garyc.mooo.com:3232/rr/

Normally I have seen websites that are intrusive by opening popups and changing the
homepage.
But this one has gone one-level up by hijacking the clipboard.(although done to amuse the visitor).

I don't have a clue how they do this but I guess it may have something to do with "invisible" flash that loads on that page.
Imagine what would happen if the reverse is also possible?(If the contents of the clipboard can be sent to the site on visiting the site.(esp. if you have sensitive info in the clipboard))
Is the internet becoming more insecure these days?

Edit:
eeks!It does seem to be possible to do the above:
http://www.knowledgebase-script.com/...ticle-421.html

**whiteflags** · 11-03-2008

The preconceived notion that the internet was secure is untrue, particularly because of the people using it as always. In the beginning it was rather amazing it worked and everyone basked in it. Only download content (particularly objects, activex stuff and scripts) from sites that you trust, but misfortune can still happen.

**Salem** · 11-03-2008

Firefox + flashblock + noscript

[ ] Yes, I'd like to download any piece of content-free crap which has no clear and present use.

**Yarin** · 11-04-2008

Originally Posted by stevesmithx

Is the internet becoming more insecure these days?

Of course, anything that gets more complicated also gets more insecure...
Just look at Vista.

**abachler** · 11-04-2008

Originally Posted by Yarin

Of course, anything that gets more complicated also gets more insecure...
Just look at Vista.

or women <duck>...

**Dae** · 11-04-2008

It's not encrypted.

Code:

function onEnterFrame()
{
    System.setClipboard(strings.join("\r\n") + "\r" + "\n" + "\r" + "\n");
} // End of the function

var strings = ["We\'re no strangers to love", 
"You know the rules and so do I", 
"A full commitment\'s what I\'m thinking of", 
"You wouldn\'t get this from any other guy", 
"I just wanna tell you how I\'m feeling", 
"Gotta make you understand", 
"Never gonna give you up", 
"Never gonna let you down", 
"Never gonna run around and desert you", 
"Never gonna make you cry", 
"Never gonna say goodbye", 
"Never gonna tell a lie and hurt you"];

var pointer = 0;

Originally Posted by stevesmithx

Is the internet becoming more insecure these days?

The internet's security isn't changing. This stuff has existed for years. Any major insecurities Adobe patches up immediately (the only problem with that is some people run outdated Flash players). MSIE gets tougher on phishing (I would know -wink-). Firefox gets tougher on everything (MSIE hides flash HTTP calls, Firefox doesn't). Plugins are developed to solve these problems (flashblock). We do however discover more bugs as time goes on, obviously. If you've tried to exploit Flash or AJAX, then you would now they are very secure. There's only a few exploits, one of which I'm not telling (only works well on MSIE anyway).

**~~master5001~~** · 11-04-2008

Only a retard uses MSIE anyway. If you would like I will write an unnecessarily long essay to back up what I just said. I don't care who gets their feelings hurt because their myspace looks bomb on IE. It is true (I also don't care who I injured with that statement either

)

**Dae** · 11-04-2008

I doubt many programmers use MSIE (Yay!). That includes most of this forum. (Woot!) I found only 30% of my random visitors use MSIE. (Chaching!) MySpacers are definitely big offenders. (WTF!)

Edit: Vrooooooom!

**~~master5001~~** · 11-05-2008

I am noticing a big shift towards linux lately. That is definitely a good thing. It is good to see Microsoft's grasp on the industry letting loose.

**maxorator** · 11-06-2008

It doesn't hijack anything... it just copies stuff to the clipboard with an interval. It's totally safe.

**stevesmithx** · 11-07-2008

Thanks all for your replies.
@Salem
Thanks for the info about those extensions.Been using firefox for a long time with popular extensions sans the two you mentioned.

@DAE

It's not encrypted.

Code:

Code:

function onEnterFrame()
{
    System.setClipboard(strings.join("\r\n") + "\r" + "\n" + "\r" + "\n");
} // End of the function

var strings = ["We\'re no strangers to love", 
"You know the rules and so do I", 
"A full commitment\'s what I\'m thinking of", 
"You wouldn\'t get this from any other guy", 
"I just wanna tell you how I\'m feeling", 
"Gotta make you understand", 
"Never gonna give you up", 
"Never gonna let you down", 
"Never gonna run around and desert you", 
"Never gonna make you cry", 
"Never gonna say goodbye", 
"Never gonna tell a lie and hurt you"];

var pointer = 0;

How did you see the code?.I can't see a thing on the page source.
I thought the code was inside that flash component and NOT part of the javascript.

It doesn't hijack anything... it just copies stuff to the clipboard with an interval. It's totally safe.

It does that without user's permission.And after you leave the page open you can't copy
anything else on the clipboard.I think that is intrusive and too much of a "functionality" for a web page.I totally agree that it is safe but not when done in the reverse.

**Dino** · 11-07-2008

IE has a setting to disallow javascript access to the Clipboard.

**maxorator** · 11-07-2008

Originally Posted by Dino

IE has a setting to disallow javascript access to the Clipboard.

It's not javascript - it's Flash.

@stevesmithx
You can't possibly support removing the clipboard functionality from Flash. It is an essential feature. This problem is another one of those "drive people mad with safe little annoying things". The reality is that intrusive sites simply aren't used and lose their market share.

Didn't you know you can simply decompile Flash files? And ActionScript's syntax isn't as close to Javascript's syntax as people tend to think.

**Dino** · 11-07-2008

Well, that explains it - it certainly looked like javascript.

**sean** · 11-07-2008

And ActionScript's syntax isn't as close to Javascript's syntax as people tend to think.

They're both based on ECMA - so it's kind of like comparing JavaScript and C#.

I agree with maxorator - in the apps we've made at work we use that feature - and it rounds out the functionality of a webapp quite well. I don't think it's inherently unsafe at all - if people are worried about it, they should by all means block it as mentioned above, but it really can't do any harm to your system. You just shouldn't visit sites if you know they're dumb - that's the only site I've heard of doing that.

Lots of websites do things without your permission - if you were to disable all of them, you wouldn't have a very useful internet experience.

Thread: Clipboard hijack

Thread Tools

Search Thread

Display

Clipboard hijack

Similar Threads

copying to clipboard

Clipboard and Custom Types

Clipboard Modifier

Manipulating the Windows Clipboard

OLE Clipboard :: Win32 API vs. MFC