Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

Posted by BeauHD on from the look-behind-you dept.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

6 of 89 comments (clear)

  1. Misfeature by vux984 · · Score: 5, Informative

    This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
     

    1. Re:Misfeature by fustakrakich · · Score: 3, Informative

      Advertisers have been doing this for years with all sorts of their stuff attached to the paste. Is there an extension that can disable it?

      And don't people read what they pasted into the terminal before hitting the Enter key?

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Misfeature by fisted · · Score: 4, Informative

      I'd venture a guess that the paste ships with the newline already...

      --
      CLI paste? paste.pr0.tips!
    3. Re:Misfeature by viperidaenz · · Score: 4, Informative

      Disable Javascript and CSS, or don't copy and paste web content in to your terminal.

      The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.

      The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.

  2. Bracketed Paste Mode by Anonymous Coward · · Score: 5, Informative

    Terminals/shells that support bracketed paste mode don't have this problem.

    When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

    There's a ZSH plugin that adds this functionality:

    https://cirw.in/blog/bracketed-paste

    I love zsh.

    1. Re:Bracketed Paste Mode by Anonymous Coward · · Score: 3, Informative

      Try again with a newline at the end of the command. That will automatically execute the command as part os pasting it. A malicious script would put a newline at the end so it would run before you had a chance to catch the error.

      Terminal + bash on Mac will execute. As will both Powershell and cmd.exe on Win.