Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Java Security Privacy Programming The Internet News Technology

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 89

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
This discussion has been archived. No new comments can be posted.

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard

Comments Filter:
  • Misfeature (Score:5, Informative)

    by vux984 ( 928602 ) on Tuesday May 24, 2016 @06:51PM (#52175447)

    This was *always* a mis-feature and it should simply be disabled at the browser level to permanently ignore.
     

    • Re: (Score:3, Informative)

      Advertisers have been doing this for years with all sorts of their stuff attached to the paste. Is there an extension that can disable it?

      And don't people read what they pasted into the terminal before hitting the Enter key?

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      What is ‘this’ in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
      Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but out

      • by Anonymous Coward

        It is pretty clear that the people over reacting to this are those who don't understand the markup/stylesheets.

        This isn't a issue that should be dealt with on the browser end. Pretty clear this is a PEBKAC error.

        Users should clearly inspect any commands before they copy and paste them to their terminal.

        If I ever paste anything into terminal I always paste it into a text editor first.

        • by Anonymous Coward

          I understand the markup/stylesheets are a hotbed of vulnerabilities stacked a mile deep. I understand that ctrl+c should copy the visibile highlighted text only, not some backend hidden obscure bullshit. I understand that this shit should be disabled at the browser level, and ideally at the fucking spec.

        • by tepples ( 727027 ) <tepplesNO@SPAMgmail.com> on Tuesday May 24, 2016 @10:12PM (#52176185) Homepage Journal

          If I ever paste anything into terminal I always paste it into a text editor first.

          Then gosh help you if what you paste contains an exploit for your text editor. There's a vi exploit in one of the examples.

          • by AmiMoJo ( 196126 )

            That's more of an argument against using vi for handling unsanitized input. Most editors require you to press un-pasteable modifier keys to do anything dangerous or irreversible, but vi's modal design makes it vulnerable.

        • by skids ( 119237 )

          Newlines are one thing. but browsers should not be allowing escape sequences to get into the paste buffer. Which, by the way, is why you cannot use most text editors to check what the clipboard contains without taking special measures.

          ("xclip -o > file.txt" and "xclip -selection prmary -o > file.txt" are your friend.)

      • by tlhIngan ( 30335 )

        What is âthisâ(TM) in your sentence? CSS? Copying in general? All the page does is use some CSS to move part of the text off-screen where it cannot be seen.
        Detecting what is and isn't visible when copying text is a non-trivial task, as is defining what visibility means: obviously when you press Ctrl+A, Ctrl+Ins you want the entire document, even those parts for which you'd need the scrollbar to read them. But what if text is placed in such a way that it's always inside the scrollable region, but o

    • How do I disable it at the browser level?
      • Re:Misfeature (Score:5, Informative)

        by viperidaenz ( 2515578 ) on Tuesday May 24, 2016 @10:37PM (#52176261)

        Disable Javascript and CSS, or don't copy and paste web content in to your terminal.

        The CSS method puts an inline span in the middle of what you're supposed to copy and gives it an absolute position so it's out of the visible area. Being inline, the browser doesn't care it's been re-positioned and adds it to the selected content.

        The Javascript method, I assume listens for the selection events and insert inline content into the selection at a place on screen you can't see.

        • Re:Misfeature (Score:4, Insightful)

          by johannesg ( 664142 ) on Wednesday May 25, 2016 @01:33AM (#52176847)

          Disable javascript and CSS. Then disable the clipboard and the graphical environment. Then format your harddisk, take apart your PC, and throw every part into a fire. It will hurt as they burn, but at least you will be still alive.

          Seriously, what sort of shitty advise is "disable javascript and CSS"? Might as well tell people to only ever browse with Lynx. Which basically means 'giving up on the world wide web as a whole'. That seems a rather drastic solution for working around a very, very minor problem in the first place. For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...

          • It's pretty much the only answer to the question "How do I disable it at the browser level?", which is what I replied to.

            If you ask a stupid question, expect a stupid answer.

            • by vux984 ( 928602 )

              Actually the browsers need to be updated to fix this.

              The Javascript oncopy event maybe shouldn't even be fired by default on untrusted sites.

              The default copy to clipboard action should ignore hidden divs, inline spans to offscreen locations, etc.

              The default copy to clipboard action should perhaps ignore html/css entirely and just copy selected plaintext. Because I can see other vectors for attack, not just the terminal.

          • Actually, this is still a problem with Windows because you could paste this crap into a cmd or Powershell window just fine.
          • by vux984 ( 928602 )

            That seems a rather drastic solution for working around a very, very minor problem in the first place.

            Clipboard attacks could do all sorts of nastiness. What if they used javascript to dynamically attach a media container with a malicious file, knowing that you are pasting it into word or excel or something which will activate that container outside of the browser sandbox.

            For one thing, if you run Windows none of this is a problem, so 99% of the worlds' population is already safe by default...

            Because there is no command prompt in windows? And there aren't any sites on the web where you might be instructed to open a command prompt and copy/paste a bit of script... to clean up a virus infection, or disable telemetry, or whatever.

  • by downright ( 1625607 ) on Tuesday May 24, 2016 @06:53PM (#52175465)

    Millennial hackers just don't try very hard.

  • Bracketed Paste Mode (Score:5, Informative)

    by Anonymous Coward on Tuesday May 24, 2016 @06:59PM (#52175499)

    Terminals/shells that support bracketed paste mode don't have this problem.

    When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

    There's a ZSH plugin that adds this functionality:

    https://cirw.in/blog/bracketed-paste [cirw.in]

    I love zsh.

    • wait which shell automatically executes pasted commands?

      I know bash and powershell(yes I use MSFT powershell) do not.

      • by Anonymous Coward

        They do if the paste contains a newline at the end (or in the middle).

      • by Anonymous Coward

        Most shells CAN execute pasted code automatically, because they don't distinguish between user input (i.e. from the keyboard) and the pasted contents. So if the pasted contents have a newline in them, generally the shell will execute the pasted command immediately. For example, if the copied string was "ls\n", the shell would just think the user typed: [l] [s] [enter]

        Most modern terminals will surround the pasted text with escape sequences, which can signal a supporting app (i.e. a shell or an editor) that

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Try again with a newline at the end of the command. That will automatically execute the command as part os pasting it. A malicious script would put a newline at the end so it would run before you had a chance to catch the error.

        Terminal + bash on Mac will execute. As will both Powershell and cmd.exe on Win.

      • by DarkOx ( 621550 )

        are you sure, what happens if you have a \n character embed in the paste text. bash sure executes it in my terminal emulator.

    • Comment removed based on user account deletion
    • Terminals/shells that support bracketed paste mode don't have this problem.

      Which should be the default behaviour for all Terminals.

    • by Jahta ( 1141213 )

      Terminals/shells that support bracketed paste mode don't have this problem.

      When you paste something, it won't execute until you press enter. This helps avoid issues with mistake pastes, and also issues wherein one accidentally copies a newline with the desired text (in this case, you can hit backspace to delete the newline, continue editing the command, and hit enter only when you're done).

      There's a ZSH plugin that adds this functionality:

      https://cirw.in/blog/bracketed-paste [cirw.in]

      I love zsh.

      On Windows, if you use ConEmu [github.io] to manage your shell sessions it will block execution of pastes that contain a Return character (regardless of which shell you are running; works with both cmd.exe and bash) and will warn you about the embedded Return.

  • I know I shouldn't copy and paste into a terminal, but it is so convenient. I don't even need a malicious website to get myself into trouble. I just forget that I copied hundreds of lines right after I copied that filename that I wanted to use. And then boom!, lots of commands entered that who knows what will happen with.

    I've occasionally looked, but never found a terminal to help with this. Probably because they shouldn't encourage my bad habit. But if it would just give me a pop up showing what I am

    • by Fwipp ( 1473271 )

      On Mac, iTerm2 will warn you "You're about to paste [1] lines ending in a newline. Are you sure?" Or sometimes "408 lines."

  • So, this hack uses document.execCommand('copy')

    It doesn't work in Safari nor Chrome. What browser DOES it work in?

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday May 24, 2016 @07:49PM (#52175753) Journal
    Clip board and command line? Wasn't there already a unix virus like that?

    Subject: Unix virus

    You have been attacked by the unix virus. Please forward this mail to everyone in your .mailrc and delete a bunch of files from $home

  • Reminds me a bit of a hack we used to do in the late 80s/early 90s on the old terminals at uni. For a few seconds during login on the old unix machines, your terminal was world writable. There was an escape sequence that let you bind key sequences to keys (like macros I guess). So we'd sit there watching for that login and blap the terminal with macros, and then take control from there.

    Fortunately it was a more innocent time, so we'd just use it to spam academics with frank zappa lyrics and stupid shit like

  • by Ol Olsoc ( 1175323 ) on Tuesday May 24, 2016 @09:58PM (#52176147)
    I remember a kid in second grade who was caught pastejacking in second grade. Sent him away, and never came back. The school had to buy all new paste too.
    • I stole a spaghetti once because I was low on dough. Yep. Thank god I didn't grab one of those RFID tagliatelli, like my mate did.. the coroner report says he simply pastaway but he was covered in boils and had that terrible strained look in his eyes :-(

Where there's a will, there's an Inheritance Tax.

Working...