Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised.
A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages.
Backdoor on your clipboard?
Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages.
It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.
But Friedlander warns a webpage could be covertly replacing the contents of what goes on your clipboard, and what actually ends up being copied to your clipboard would be vastly different from what you had intended to copy.
Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.
In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple command that most sysadmins and developers would be familiar with:
Now, paste what you copied from Friedlander's blog into a text box or Notepad, and the result is likely to leave you surprised:
Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it.
This means the above example would execute as soon as it's pasted directly into a Linux terminal.
Those pasting the text may have been under the impression they were copying the familiar, innocuous command sudo apt update that is used to fetch updated information on software installed on your system.
But that's not quite what happened.
What causes this?
The magic is in the JavaScript code hidden behind the PoC HTML page setup by Friedlander.
As soon as you copy the "sudo apt update" text contained in an HTML element, the code snippet, shown below runs.
What happens afterward is a JavaScript 'event listener' capturing the copy event and replacing the clipboard data with Friedlander's malicious test code:
Note, event listeners have a variety of legitimate use-cases in JavaScript but this is just one example of how they could be misused.
"This is why you should NEVER copy paste commands directly into your terminal," warns Friedlander.
"You think you are copying one thing, but it’s replaced with something else, like malicious code. All it takes is a single line of code injected into the code you copied to create a backdoor to your app."
"This attack is very simple but also very harmful."
A Reddit user also presented an alternative example of this trick that requires no JavaScript: invisible text made with HTML and CSS styling that gets copied onto your clipboard when you copy the visible portions of text:
"The problem is not just that the website can change your clipboard contents using JavaScript," explains the user, SwallowYourDreams.
"It could also just hide commands in the HTML that are invisible to the human eye, but will be copied by the computer."
And so, another reason to never blindly trust what you copy from a web page—better paste it in a text editor first.
A simple, but nonetheless, an important lesson in everyday security.
Update, Jan 4th, 02:00 AM ET: Added another example of attack using invisible HTML/CSS.
Comments
D0NM3GA - 2 years ago
I read this as: "People who are doing tasks they are not trained or knowledgeable about, are being taken advantage of in a way that should not be surprising to anyone who has spent any time in tech."
Don't do things if you don't know what you're doing. (Unless it's your lab or computer that you are learning on, and if it breaks it doesn't matter)
mito88 - 2 years ago
"Don't do things if you don't know what you're doing..."
that's not the real problem, IMO.
one is at risk when there is that nice feeling which confidence provides...
frumptert - 2 years ago
This has nothing to do with not knowing what you're doing. As a full stack software engineer, I don't remember every single command I might need on a day-to-day basis. There's no way for me to remember every nuance of the JavaScript, Java, Python, and Bash languages I use. Searching and copying commands is necessary, as is knowing where you're copying from. To be honest, you sound like someone who's done a few tutorials and now thinks they're a "developer".
digisyn - 2 years ago
The solution is to paste into a text editor first. Look over what you pasted. Recopy from the text editor and safely paste into the destination.
hobbydungeon - 6 months ago
Or just highlight the text and middle-click...
Seriously, who uses Ctrl+C and Ctrl+V for terminal commands unless you're not on a Linux system?
pcpunk - 2 years ago
I was always suspicious of this and usually put it to a document of some kind first. Usually though, I get this stuff from known legit sites, but not always.
WayneShu - 2 years ago
I use Copy PlainText plugin for Firefox and it does not have this problem. I get
sudo apt update
using copy plaintext.
acgp - 2 years ago
I started using Linux for some months and this article deserves a special feature in BC as there are a huge number of sites instructing Linux users to copy and paste (even some scripts)... I saw this trick on a number of e-mails in Outlook, where I worked, and even after showing this to some colleagues in the spam folder some of them "insisted" on clinking... Every week I had to clean some dormant Trojan that Windows Defender wouldn't block.
lk77 - 2 years ago
i always copy paste from stackoverflow,
and usually from good responses, with lot of upvotes,
i would never trust some random website.
even if the code / cmd line is not malicious, it could be bad.
lawndoc - 2 years ago
Reputable forums and sites like stackoverflow don't allow content contributors to add javascript to the page (if they did that would be reflected XSS), but hacking a popular website like that would make for a nasty watering hole attack.
Icepop33 - 2 years ago
First time poster, I think. This site is fantastic, usually among the forefront on any emerging security issue ,and gets a lot of linking, but not enough engagement IMO. I'm here to change that, lol.
I'm glad to see the simple solution appear in the article, but maybe it should be highlighted ;).
Security pros should never paste into a terminal from an external source they don't control. They should know better, regardless of confidence level!
It is easy to obfuscate hyperlink destinations in HTML, so if you're on a site you're unfamiliar with or don't trust, it's a good idea to copy and paste these links into notepad or similar plain text editor using default character encoding. This will also strip away any formatting, including any characters hidden by HTML/CSS. It is my understanding that Chrome does a better job of not trying to normalize the copy blob to unicode. I'd link, but I don't know if links in forum posts are allowed and don't remember seeing any explicitly.
I'm so lazy this afternoon and quite seasonally afflicted as well as I look out at the gray sky...
Another trend I find very annoying are those links or buttons that hide the URL from the user. These websites don't put the URL in the HREF, but instead attach a JavaScript function to the onclick event which then puts the actual URL in the <a> element at "runtime". I don't have an easy solution for the casual user, except to not click on these suspect links (on sites you're unfamiliar with or don't trust).
On highly complex sites such as banking sites, with tons of back-end programming and security measures, obviously you are going to have that trust level, because you sure aren't going to be able to follow the link tree, or the automatically generated megalinks to a myriad of fintech and real-time processing domains. In fact, the whole of ecommerce is trust-based.
Sometimes we get burned, but most things work most of the time for most people :)
It's the ever-increasing Cosmic Stolen Data Background Radiation that has me really worried, but not really relevant to this particular discussion.
It's a bit alarming that the clipboard can be so easily hijacked by a little javascript, but with greater functionality comes a greater security risk. It's as old as time. Basic security practices, practiced always, are a fundamentally more effective security measure than the latest update to your security stack reacting to the latest attack iteration and this goes for home users, as well.
Yes, educate your family about smart link handling!