Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

Re:Misfeature

What is ‘this’ in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but outside the visible window client area?
And so far there have been no successful attacks based on this mechanism. It is hard to exploit, it requires the victims to paste console commands (that reduces your audience quite a lot, most people never use the console), it likely requires specific environments, it requires the console to execute it immediately rather than show it, and it's really obvious to victim that something is up, even when, especially when, it doesn't work.
So, a very difficult and low-priority feature then.
And one might wonder if it's really the browsers which need to fix this. I think it would help a great deal if terminals detected if the text likely came from the web (this can be checked since when you copy from a browser, HTML gets put on the clipboard as well as a plain text version). One of the most dangerous aspects of this attack is that the BR-tag must translate to a newline, and terminals execute commands when they encounter newlines. If the terminal would simply show these newlines on the prompt and only execute stuff when the user actually presses enter, most of the attack surface would be gone.

An exploit for your text editor

[tepples]

If I ever paste anything into terminal I always paste it into a text editor first.

Then gosh help you if what you paste contains an exploit for your text editor. There's a vi exploit in one of the examples.