Clipboard pollution

Just saw a Friday article in The Register titled “Mystery web attack hijacks your clipboard”. The symptom was that someone was surfing and something started perpetually writing his clipboard. Dan Goodwin referenced “sandi” at a MSMVPS.com blog (sorry for not quoting your last name, Sandi, but you don’t make it obvious and I didn’t remember it), which in turn referenced a number of forum threads which were said to describe the issue.

This forum thread seems to have the most descriptions (possibly of multiple issues), but the screenshots and partial descriptions don’t seem to mention any particular SWF at MSNBC.com. As in previous Flash warnings through this venue, it’s hard to summarize the main evidence, drawn from various disconnected forum posts. Dan Goodin said Sandi mentioned Flash, but I didn’t see where she did (other than with her weblog template about “flash malvertizements”). There’s not yet a succinct case.

It’s plausible that some webpage has some rogue SWF which acts obnoxiously with the clipboard. Might be a JavaScript thing too. But let’s say that there’s indeed some rogue browser element which just yak-yak-yaks into your clipboard.

Two questions:
1) How did you get to be executing some logic which acts so obnoxiously?
2) If you’re using a browser to surf the web, should strangers have so much power?

(The answers are already here, but let’s run it fresh again anyway…. ;-)

How’d some rogue interactivity get into your browser? Probably because of a trustworthy webpage with untrustworthy third-party content. Ad networks are big vectors for third-party resources. Web-based services are another way to introduce third-party scripting into a composite webpage. Even a third-party GIF can no longer be completely trusted. Sandi’s page is pretty secure, but even this is executing scripts from three domains… the article at The Register is executing scripts from six different domains.

As Nat Torkington described, if you’re republishing third-party JavaScript, even trustworthy sources may prove untrustworthy. If you’re accepting interactivity through an ad network, then they don’t seem to have formal processes to vet the people they forward to you for republishing.

If you use Firefox and AdBlock Plus, or have another way of inspecting third-party content on webpages, take a look at just how many domains are involved in creating the page you’re viewing. Each HTTP request for a GIF or a JavaScript or an RSS or even a ping is registered on a server log at those unanticipated third-party sites, and for interactivity (.SWF, .JS, whatever), your browser will be accepting instructions from parties other than the site you’re visiting. Modern sites like TechCrunch invoke dozens of scripts and ping even more domains whenever you visit.

Should webpages have so much power, as to be able to copy to the clipboard? Probably not, because you can’t trust everyone else we allow on the network. Early email architects didn’t imagine spam, but spam is what we got. If we want to safely click from link to hypertext link on the World Wide Web, the most stable solution is to give the browser experience few privileges.

(The alternative (which failed for Microsoft in the 1990s, and which Google is reviving in a different way with their search warnings) is the concept of giving some groups of publishers greater trust than others, which leads into an additional class of permission-raising exploits, spoofing, and so on, as well as all the subsequent social opposition from the less-privileged classes. In these days, when even your local domain-name server can’t always be trusted, favoritism doesn’t scale at all well.)

Web browsers need to be able to safely visit any hypertext link, safely execute any instructions they may contain. To gain greater privileges, it seems smarter to use a separate codebase with a more generous sandbox, than it is to set up permission schemes. This is the fundamental reason that I believe the various brands of WWW browsers won’t be able to act very much like desktop apps… the needs of visiting any strange site safely conflict directly with the needs to be trusted and powerful parts of your daily environment. Theoretically possible; pragmatically fragile.

Anyway, on this story at The Register, I haven’t yet been able to identify the exact situation from the descriptions. Clipboard-spamming does seem a possibility. And the trends of composite webpages with third-party content makes it increasingly difficult for in-browser apps to act like desktop apps.

Summary: This report needs further investigation.