Just saw a Friday article in The Register titled “Mystery web attack hijacks your clipboard”. The symptom was that someone was surfing and something started perpetually writing his clipboard. Dan Goodwin referenced “sandi” at a MSMVPS.com blog (sorry for not quoting your last name, Sandi, but you don’t make it obvious and I didn’t remember it), which in turn referenced a number of forum threads which were said to describe the issue.
This forum thread seems to have the most descriptions (possibly of multiple issues), but the screenshots and partial descriptions don’t seem to mention any particular SWF at MSNBC.com. As in previous Flash warnings through this venue, it’s hard to summarize the main evidence, drawn from various disconnected forum posts. Dan Goodin said Sandi mentioned Flash, but I didn’t see where she did (other than with her weblog template about “flash malvertizements”). There’s not yet a succinct case.
1) How did you get to be executing some logic which acts so obnoxiously?
2) If you’re using a browser to surf the web, should strangers have so much power?
(The answers are already here, but let’s run it fresh again anyway…. 😉
How’d some rogue interactivity get into your browser? Probably because of a trustworthy webpage with untrustworthy third-party content. Ad networks are big vectors for third-party resources. Web-based services are another way to introduce third-party scripting into a composite webpage. Even a third-party GIF can no longer be completely trusted. Sandi’s page is pretty secure, but even this is executing scripts from three domains… the article at The Register is executing scripts from six different domains.
Should webpages have so much power, as to be able to copy to the clipboard? Probably not, because you can’t trust everyone else we allow on the network. Early email architects didn’t imagine spam, but spam is what we got. If we want to safely click from link to hypertext link on the World Wide Web, the most stable solution is to give the browser experience few privileges.
(The alternative (which failed for Microsoft in the 1990s, and which Google is reviving in a different way with their search warnings) is the concept of giving some groups of publishers greater trust than others, which leads into an additional class of permission-raising exploits, spoofing, and so on, as well as all the subsequent social opposition from the less-privileged classes. In these days, when even your local domain-name server can’t always be trusted, favoritism doesn’t scale at all well.)
Web browsers need to be able to safely visit any hypertext link, safely execute any instructions they may contain. To gain greater privileges, it seems smarter to use a separate codebase with a more generous sandbox, than it is to set up permission schemes. This is the fundamental reason that I believe the various brands of WWW browsers won’t be able to act very much like desktop apps… the needs of visiting any strange site safely conflict directly with the needs to be trusted and powerful parts of your daily environment. Theoretically possible; pragmatically fragile.
Anyway, on this story at The Register, I haven’t yet been able to identify the exact situation from the descriptions. Clipboard-spamming does seem a possibility. And the trends of composite webpages with third-party content makes it increasingly difficult for in-browser apps to act like desktop apps.
Summary: This report needs further investigation.