[Swordmaker]

Hot-diggity damn.

It's NOT FUD!

The clipboard hijack exploit DOES INDEED work on an OSX Mac with Safari!

Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

For those of you who want to try it, the link to the demo page is below:

WARNING! CLICK AT YOUR OWN RISK!

Demo Link to ClipBoard hijack exploit!

I have found, however, that with a Mac, simply navigating away from the offending hijacking website will end the attack. There is no need to close the browser window.

[antiRepublicrat]

Yep, it works, Firefox 3 on Leopard, and it keeps the info in the clipboard.

OTOH, woohoo, it put a text link into my clipboard. I must say I am far less than impressed. Much self-inflicted idiocy must follow for it to be damaging, or much more work to make this effectively malicious.

Still, we’re inching towards that one inevitable day when OS X will finally get an in-the-wild, effective, propagating virus. Until then I’ll keep enjoying not having three protection programs running, sucking up resources.

[SunkenCiv]

Oh no! The only answer is to navigate away or close the browser window?!? ;’)

[6SJ7]

I presume this exploit operates by looping the javascript code in the flash to repeatedly copy the bogus URL into the clipboard. That's why the exploit vanishes when you close the browser window.

I really wish there was a way to send a large EMP into the servers owned by these spammers. I'd like to tase the spammers too for good measure!

[Question_Assumptions]

Lynx doesn’t seem to suffer from this problem. ;)