Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

← Back to Stories (view on slashdot.org)

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

Posted by BeauHD on Tuesday May 24, 2016 @11:40AM from the look-behind-you dept.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

5 of 89 comments (clear)

Min score:

Reason:

Sort:

Misfeature by vux984 · 2016-05-24 11:51 · Score: 5, Informative

This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
1. Re:Misfeature by fisted · 2016-05-24 12:19 · Score: 4, Informative
  
  I'd venture a guess that the paste ships with the newline already...
  
  --
  CLI paste? paste.pr0.tips!
2. Re:Misfeature by viperidaenz · 2016-05-24 15:37 · Score: 4, Informative
  
  Disable Javascript and CSS, or don't copy and paste web content in to your terminal.
  The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.
  The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.
Bracketed Paste Mode by Anonymous Coward · 2016-05-24 11:59 · Score: 5, Informative

Terminals/shells that support bracketed paste mode don't have this problem.
When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).
There's a ZSH plugin that adds this functionality:
https://cirw.in/blog/bracketed-paste
I love zsh.
Re:Open source unix virus by BlackPignouf · 2016-05-24 20:36 · Score: 4, Funny

My favorite is still writing

echo "sleep 1" >> ~/.profile
inside the .profile of my colleagues when they leave their terminal open.
A few weeks after, I complain that my Windows desktop seems to be always booting slower and slower, but that hopefully, it's never been a problem with Linux.