Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

Posted by BeauHD on from the look-behind-you dept.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

17 of 89 comments (clear)

  1. Misfeature by vux984 · · Score: 5, Informative

    This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
     

    1. Re:Misfeature by fustakrakich · · Score: 3, Informative

      Advertisers have been doing this for years with all sorts of their stuff attached to the paste. Is there an extension that can disable it?

      And don't people read what they pasted into the terminal before hitting the Enter key?

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Misfeature by fisted · · Score: 4, Informative

      I'd venture a guess that the paste ships with the newline already...

      --
      CLI paste? paste.pr0.tips!
    3. Re:Misfeature by Anonymous Coward · · Score: 3, Interesting

      What is ‘this’ in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
      Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but outside the visible window client area?
      And so far there have been no successful attacks based on this mechanism. It is hard to exploit, it requires the victims to paste console commands (that reduces your audience quite a lot, most people never use the console), it likely requires specific environments, it requires the console to execute it immediately rather than show it, and it's really obvious to victim that something is up, even when, especially when, it doesn't work.
      So, a very difficult and low-priority feature then.
      And one might wonder if it's really the browsers which need to fix this. I think it would help a great deal if terminals detected if the text likely came from the web (this can be checked since when you copy from a browser, HTML gets put on the clipboard as well as a plain text version). One of the most dangerous aspects of this attack is that the BR-tag must translate to a newline, and terminals execute commands when they encounter newlines. If the terminal would simply show these newlines on the prompt and only execute stuff when the user actually presses enter, most of the attack surface would be gone.

    4. Re:Misfeature by viperidaenz · · Score: 4, Informative

      Disable Javascript and CSS, or don't copy and paste web content in to your terminal.

      The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.

      The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.

    5. Re:Misfeature by johannesg · · Score: 3, Insightful

      Disable javascript and CSS. Then disable the clipboard and the graphical environment. Then format your harddisk, take apart your PC, and throw every part into a fire. It will hurt as they burn, but at least you will be still alive.

      Seriously, what sort of shitty advise is "disable javascript and CSS"? Might as well tell people to only ever browse with Lynx. Which basically means 'giving up on the world wide web as a whole'. That seems a rather drastic solution for working around a very, very minor problem in the first place. For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...

  2. We expect better effort next time. by downright · · Score: 3, Insightful

    Millennial hackers just don't try very hard.

  3. Bracketed Paste Mode by Anonymous Coward · · Score: 5, Informative

    Terminals/shells that support bracketed paste mode don't have this problem.

    When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

    There's a ZSH plugin that adds this functionality:

    https://cirw.in/blog/bracketed-paste

    I love zsh.

    1. Re:Bracketed Paste Mode by Anonymous Coward · · Score: 3, Informative

      Try again with a newline at the end of the command. That will automatically execute the command as part os pasting it. A malicious script would put a newline at the end so it would run before you had a chance to catch the error.

      Terminal + bash on Mac will execute. As will both Powershell and cmd.exe on Win.

    2. Re:Bracketed Paste Mode by DarkOx · · Score: 2

      are you sure, what happens if you have a \n character embed in the paste text. bash sure executes it in my terminal emulator.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:Bracketed Paste Mode by Jahta · · Score: 2

      Terminals/shells that support bracketed paste mode don't have this problem.

      When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

      There's a ZSH plugin that adds this functionality:

      https://cirw.in/blog/bracketed-paste

      I love zsh.

      On Windows, if you use ConEmu to manage your shell sessions it will block execution of pastes that contain a Return character (regardless of which shell you are running; works with both cmd.exe and bash) and will warn you about the embedded Return.

  4. I'm wishing for help from terminal programs by John+Marter · · Score: 2

    I know I shouldn't copy and paste into a terminal, but it is so convenient. I don't even need a malicious website to get myself into trouble. I just forget that I copied hundreds of lines right after I copied that filename that I wanted to use. And then boom!, lots of commands entered that who knows what will happen with.

    I've occasionally looked, but never found a terminal to help with this. Probably because they shouldn't encourage my bad habit. But if it would just give me a pop up showing what I am about to paste that would help a bunch.

  5. Open source unix virus by 140Mandak262Jamuna · · Score: 3, Funny
    Clip board and command line? Wasn't there already a unix virus like that?

    Subject: Unix virus

    You have been attacked by the unix virus. Please forward this mail to everyone in your .mailrc and delete a bunch of files from $home

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Open source unix virus by BlackPignouf · · Score: 4, Funny

      My favorite is still writing

      echo "sleep 1" >> ~/.profile

      inside the .profile of my colleagues when they leave their terminal open.
      A few weeks after, I complain that my Windows desktop seems to be always booting slower and slower, but that hopefully, it's never been a problem with Linux.

  6. Pastejacking? by Ol+Olsoc · · Score: 2

    I remember a kid in second grade who was caught pastejacking in second grade. Sent him away, and never came back. The school had to buy all new paste too.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  7. An exploit for your text editor by tepples · · Score: 3, Interesting

    If I ever paste anything into terminal I always paste it into a text editor first.

    Then gosh help you if what you paste contains an exploit for your text editor. There's a vi exploit in one of the examples.

  8. Re:Copy all commands into a file first by mugurel · · Score: 2
    cat - > /tmp/emptyfile.txt (then do the paste, and then Ctrl-D)

    This is robust at least against the demo attacks given in the article.