Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

Posted by BeauHD on from the look-behind-you dept.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

12 of 89 comments (clear)

  1. Misfeature by vux984 · · Score: 5, Informative

    This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
     

    1. Re:Misfeature by fustakrakich · · Score: 3, Informative

      Advertisers have been doing this for years with all sorts of their stuff attached to the paste. Is there an extension that can disable it?

      And don't people read what they pasted into the terminal before hitting the Enter key?

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Misfeature by fisted · · Score: 4, Informative

      I'd venture a guess that the paste ships with the newline already...

      --
      CLI paste? paste.pr0.tips!
    3. Re:Misfeature by Anonymous Coward · · Score: 3, Interesting

      What is ‘this’ in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
      Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but outside the visible window client area?
      And so far there have been no successful attacks based on this mechanism. It is hard to exploit, it requires the victims to paste console commands (that reduces your audience quite a lot, most people never use the console), it likely requires specific environments, it requires the console to execute it immediately rather than show it, and it's really obvious to victim that something is up, even when, especially when, it doesn't work.
      So, a very difficult and low-priority feature then.
      And one might wonder if it's really the browsers which need to fix this. I think it would help a great deal if terminals detected if the text likely came from the web (this can be checked since when you copy from a browser, HTML gets put on the clipboard as well as a plain text version). One of the most dangerous aspects of this attack is that the BR-tag must translate to a newline, and terminals execute commands when they encounter newlines. If the terminal would simply show these newlines on the prompt and only execute stuff when the user actually presses enter, most of the attack surface would be gone.

    4. Re:Misfeature by viperidaenz · · Score: 4, Informative

      Disable Javascript and CSS, or don't copy and paste web content in to your terminal.

      The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.

      The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.

    5. Re:Misfeature by johannesg · · Score: 3, Insightful

      Disable javascript and CSS. Then disable the clipboard and the graphical environment. Then format your harddisk, take apart your PC, and throw every part into a fire. It will hurt as they burn, but at least you will be still alive.

      Seriously, what sort of shitty advise is "disable javascript and CSS"? Might as well tell people to only ever browse with Lynx. Which basically means 'giving up on the world wide web as a whole'. That seems a rather drastic solution for working around a very, very minor problem in the first place. For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...

  2. We expect better effort next time. by downright · · Score: 3, Insightful

    Millennial hackers just don't try very hard.

  3. Bracketed Paste Mode by Anonymous Coward · · Score: 5, Informative

    Terminals/shells that support bracketed paste mode don't have this problem.

    When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

    There's a ZSH plugin that adds this functionality:

    https://cirw.in/blog/bracketed-paste

    I love zsh.

    1. Re:Bracketed Paste Mode by Anonymous Coward · · Score: 3, Informative

      Try again with a newline at the end of the command. That will automatically execute the command as part os pasting it. A malicious script would put a newline at the end so it would run before you had a chance to catch the error.

      Terminal + bash on Mac will execute. As will both Powershell and cmd.exe on Win.

  4. Open source unix virus by 140Mandak262Jamuna · · Score: 3, Funny
    Clip board and command line? Wasn't there already a unix virus like that?

    Subject: Unix virus

    You have been attacked by the unix virus. Please forward this mail to everyone in your .mailrc and delete a bunch of files from $home

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Open source unix virus by BlackPignouf · · Score: 4, Funny

      My favorite is still writing

      echo "sleep 1" >> ~/.profile

      inside the .profile of my colleagues when they leave their terminal open.
      A few weeks after, I complain that my Windows desktop seems to be always booting slower and slower, but that hopefully, it's never been a problem with Linux.

  5. An exploit for your text editor by tepples · · Score: 3, Interesting

    If I ever paste anything into terminal I always paste it into a text editor first.

    Then gosh help you if what you paste contains an exploit for your text editor. There's a vi exploit in one of the examples.