Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 89
An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Misfeature (Score:5, Informative)
This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
Re: (Score:3, Informative)
Advertisers have been doing this for years with all sorts of their stuff attached to the paste. Is there an extension that can disable it?
And don't people read what they pasted into the terminal before hitting the Enter key?
Re:Misfeature (Score:5, Informative)
I'd venture a guess that the paste ships with the newline already...
Re: (Score:1)
Yeah, you gotta be careful not to copy that. I only had to get burned once.
Re: (Score:2)
I always paste into Notepad to remove the extra junk anyways. I too would love to see that extra copy BS die in a napalm fire.
Re: (Score:3, Interesting)
What is ‘this’ in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but out
Re: (Score:1)
It is pretty clear that the people over reacting to this are those who don't understand the markup/stylesheets.
This isn't a issue that should be dealt with on the browser end. Pretty clear this is a PEBKAC error.
Users should clearly inspect any commands before they copy and paste them to their terminal.
If I ever paste anything into terminal I always paste it into a text editor first.
Re: Misfeature (Score:1)
I understand the markup/stylesheets are a hotbed of vulnerabilities stacked a mile deep. I understand that ctrl+c should copy the visibile highlighted text only, not some backend hidden obscure bullshit. I understand that this shit should be disabled at the browser level, and ideally at the fucking spec.
An exploit for your text editor (Score:4, Interesting)
If I ever paste anything into terminal I always paste it into a text editor first.
Then gosh help you if what you paste contains an exploit for your text editor. There's a vi exploit in one of the examples.
Re: (Score:2)
I think the idea is to leave insert mode to paste using a dedicated paste command rather than using your terminal's keypress simulation.
Re: (Score:2)
That's more of an argument against using vi for handling unsanitized input. Most editors require you to press un-pasteable modifier keys to do anything dangerous or irreversible, but vi's modal design makes it vulnerable.
Re: (Score:2)
Newlines are one thing. but browsers should not be allowing escape sequences to get into the paste buffer. Which, by the way, is why you cannot use most text editors to check what the clipboard contains without taking special measures.
("xclip -o > file.txt" and "xclip -selection prmary -o > file.txt" are your friend.)
Re: (Score:1)
Re: (Score:1)
Just my opinion, but seems to be more of a problem to be handled on the terminal application level than in the browser.
Check out this link regarding bracketed paste mode [cirw.in].
Re: (Score:2)
In answer to GGP, you may not have been born early enough to have reason to know that "escape sequences" [wikipedia.org] also is used to refer to in-band signalling on TTYs (which, yes, there are some in the other direction than what is covered in that article). As far as this post I mean specifically ascii character 0x1b (U+001B), which browsers will happily allow to be stuffed in the clipboard and which is what makes exploits of pastes into certain text editors possible. A strong argument could be made for certain of th
Re: (Score:2)
Re: (Score:2)
Re:Misfeature (Score:5, Informative)
Disable Javascript and CSS, or don't copy and paste web content in to your terminal.
The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.
The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.
Re:Misfeature (Score:4, Insightful)
Disable javascript and CSS. Then disable the clipboard and the graphical environment. Then format your harddisk, take apart your PC, and throw every part into a fire. It will hurt as they burn, but at least you will be still alive.
Seriously, what sort of shitty advise is "disable javascript and CSS"? Might as well tell people to only ever browse with Lynx. Which basically means 'giving up on the world wide web as a whole'. That seems a rather drastic solution for working around a very, very minor problem in the first place. For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...
Re: (Score:1)
It's pretty much the only answer to the question "How do I disable it at the browser level?", which is what I replied to.
If you ask a stupid question, expect a stupid answer.
Re: (Score:2)
Actually the browsers need to be updated to fix this.
The Javascript oncopy event maybe shouldn't even be fired by default on untrusted sites.
The default copy to clipboard action should ignore hidden divs, inline spans to offscreen locations, etc.
The default copy to clipboard action should perhaps ignore html/css entirely and just copy selected plaintext. Because I can see other vectors for attack, not just the terminal.
Re: (Score:1)
Re: (Score:2)
That seems a rather drastic solution for working around a very, very minor problem in the first place.
Clipboard attacks could do all sorts of nastiness. What if they used javascript to dynamically attach a media container with a malicious file, knowing that you are pasting it into word or excel or something which will activate that container outside of the browser sandbox.
For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...
Because there is no command prompt in windows? And there aren't any sites on the web where you might be instructed to open a command prompt and copy/paste a bit of script... to clean up a virus infection, or disable telemetry, or whatever.
Re: (Score:2)
Read your post again.
Your argument fails for the same reason ActiveX was an atrocity. As long as everybody ELSE does their job properly activeX was fine. But reality doesn't work like that and ActiveX was a horrible security mess as a result.
The operating system and the browser need to take ownership of the problem and ensure the clipboard is safe.
The web should be assumed hostile by default. The browser runs in a sandbox by default, and everything coming out of it needs to be carefully screened and sanitiz
Re: (Score:2)
For one thing, they'd need a time machine to travel into the future to the moment when the text is pasted to see which application is on the receiving end so the copying application and the operating can do their filtering job, and secondly there is no way that any application writer can foresee all possible troublesome situations
I don't care that it can't foresee all possible troublesome situations, you are raising the bar to absurd levels.
The browser should be responsible for sanitizing what goes into the
We expect better effort next time. (Score:3, Insightful)
Millennial hackers just don't try very hard.
Bracketed Paste Mode (Score:5, Informative)
Terminals/shells that support bracketed paste mode don't have this problem.
When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).
There's a ZSH plugin that adds this functionality:
https://cirw.in/blog/bracketed-paste [cirw.in]
I love zsh.
Re: (Score:2)
wait which shell automatically executes pasted commands?
I know bash and powershell(yes I use MSFT powershell) do not.
Re: (Score:1)
They do if the paste contains a newline at the end (or in the middle).
Re: (Score:1)
Most shells CAN execute pasted code automatically, because they don't distinguish between user input (i.e. from the keyboard) and the pasted contents. So if the pasted contents have a newline in them, generally the shell will execute the pasted command immediately. For example, if the copied string was "ls\n", the shell would just think the user typed: [l] [s] [enter]
Most modern terminals will surround the pasted text with escape sequences, which can signal a supporting app (i.e. a shell or an editor) that
Re: (Score:3, Informative)
Try again with a newline at the end of the command. That will automatically execute the command as part os pasting it. A malicious script would put a newline at the end so it would run before you had a chance to catch the error.
Terminal + bash on Mac will execute. As will both Powershell and cmd.exe on Win.
Re: (Score:3)
are you sure, what happens if you have a \n character embed in the paste text. bash sure executes it in my terminal emulator.
Re: (Score:2)
Insecure Terminals are the problem. (Score:2)
Terminals/shells that support bracketed paste mode don't have this problem.
Which should be the default behaviour for all Terminals.
Re: (Score:3)
Terminals/shells that support bracketed paste mode don't have this problem.
When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).
There's a ZSH plugin that adds this functionality:
https://cirw.in/blog/bracketed-paste [cirw.in]
I love zsh.
On Windows, if you use ConEmu [github.io] to manage your shell sessions it will block execution of pastes that contain a Return character (regardless of which shell you are running; works with both cmd.exe and bash) and will warn you about the embedded Return.
I'm wishing for help from terminal programs (Score:2)
I know I shouldn't copy and paste into a terminal, but it is so convenient. I don't even need a malicious website to get myself into trouble. I just forget that I copied hundreds of lines right after I copied that filename that I wanted to use. And then boom!, lots of commands entered that who knows what will happen with.
I've occasionally looked, but never found a terminal to help with this. Probably because they shouldn't encourage my bad habit. But if it would just give me a pop up showing what I am
Re: (Score:2)
On Mac, iTerm2 will warn you "You're about to paste [1] lines ending in a newline. Are you sure?" Or sometimes "408 lines."
document.execCommand (Score:1)
So, this hack uses document.execCommand('copy')
It doesn't work in Safari nor Chrome. What browser DOES it work in?
Re: (Score:1)
It does work in Chrome on Linux.
Re: (Score:2)
According to https://developer.mozilla.org/... [mozilla.org] document.execCommand('copy') works on Chrome 42+, Firefox 41+, IE9+ and Opera 29+
Open source unix virus (Score:4, Funny)
Subject: Unix virus
You have been attacked by the unix virus. Please forward this mail to everyone in your .mailrc and delete a bunch of files from $home
Re:Open source unix virus (Score:5, Funny)
My favorite is still writing
inside the .profile of my colleagues when they leave their terminal open.
A few weeks after, I complain that my Windows desktop seems to be always booting slower and slower, but that hopefully, it's never been a problem with Linux.
Ye old unix hacks (Score:2)
Reminds me a bit of a hack we used to do in the late 80s/early 90s on the old terminals at uni. For a few seconds during login on the old unix machines, your terminal was world writable. There was an escape sequence that let you bind key sequences to keys (like macros I guess). So we'd sit there watching for that login and blap the terminal with macros, and then take control from there.
Fortunately it was a more innocent time, so we'd just use it to spam academics with frank zappa lyrics and stupid shit like
Pastejacking? (Score:3)
Re: (Score:2)
Re: (Score:3)
This is robust at least against the demo attacks given in the article.
Re: (Score:2)