Home  >  

Adobe Flash Clipboard Hack

Author photo
Richard Monson-Haefel
September 22, 2008 | | Comments (5)
AddThis Social Bookmark Button
print | listen Speech Icon
flashplayer

Although this was first brought to the attention of the world on August 18th in a ZDNet article, "Adobe Flash ads launching clipboard hijack attack", it seems little has been said about it since.

Apparently there is a mechanism by which a Flash movie can insert any kind of content into the clipboard. You can see it demoed here (warning once you click on this link you'll need to close down your browser if you want to use your clipboard again).

It's really spooky. While writing this blog I copied on the above demo URL and when I tried to paste into this blog entry all I got was (http://www.evil.com) instead. And the clipboard is hijacked across all applications - not just your browser.

The good news is that Adobe plans to fix this with the release of Adobe Flash Player 10. The bad news is that that everyone who uses Flash can be victimized by this attack until Flash player 10 is released (its in pre-release now). Short of uninstalling all players proceeding Flash Player 10, I'm not sure if there is any way to avoid getting your clipboard hijacked.

Read more from Richard Monson-Haefel.

Comments

5 Comments

Quentin said:

AVAST detected the threat, which is cool.

September 22, 2008 9:23 AM
Adrian Parr said:

Yeah, I got that too. I wonder how Avast picked it up?

Screenshot here ...

http://www.adrianparr.com/images/avast_warning.gif

September 22, 2008 12:17 PM
Rich Tretola said:

I am running Flash Player 10 and I get an error on the test site so I assume this is blocking the hack. It does occur on Flash Player 9

Error: Error #2176: Certain actions, such as those that display a pop-up window, may only be invoked upon user interaction, for example by a mouse click or button press.
at flash.system::System$/setClipboard()
at test_fla::MainTimeline/setClip()
at Function/http://adobe.com/AS3/2006/builtin::apply()
at SetIntervalTimer/onTimer()
at flash.utils::Timer/_timerDispatch()
at flash.utils::Timer/tick()

September 22, 2008 6:39 PM
Dillon said:

Avast shivers me timbers. Arrg! Another virus blown out of the water!

November 10, 2008 6:20 PM
Mandy said:

Clickjacking has been fixed now already. People using it for the old copy clipboard function (which Flash 10 broke) should look for other solutions. I saw a good example here:

http://groups.google.com/group/Snipurl/web/copy-to-clipboard-not-working

November 14, 2008 12:48 AM

Leave a comment


Type the characters you see in the picture above.

Tag Cloud

Poll: Adobe MAX

Will you be attending Adobe MAX next week?

Vote | View Poll Results | Read Related Blog Entry

Latest Features

News & Events

Read more News & Events

Recommended for You

Development Series

Get an overview of the tools and technologies that work together to allow developers to build Rich Internet Applications (RIAs) quickly and easily.

Anatomy of an Enterprise Flex RIA

Recent Comments

Archives

  • Or, visit our complete archive.  

About This Site

Welcome to the premiere community site for all things RIA sponsored by O'Reilly Media and Adobe Systems Incorporated.