Security researcher Dylan Ayrey published a new hacking method last week called Pastejacking and uses Javascript as a means of attack.
The Pastejacking attack works in the same way as an older CSS attack but with Javascript, which makes it much more effective.
JavaScript is much more powerful programming language and much more flexible than CSS. With the older CSS method, the user had to copy-paste the entire malicious text, and Javascript does not need to select the entire text.
Copying a single character is enough!
In theory, an attacker could add a malicious code του Ρastejacking Javascript από μια ολόκληρη σελίδα, when doing a paste even for something very small in a terminal. That way he could run whatever commands he wanted without anyone noticing.
Dylan Ayrey has released a demo where the attacker runs his malicious code, cleans the victim's clipboard, and then adds the code that the victim copied, making him believe that nothing happened.
The attack can be very dangerous especially if it is done through technical support or phishing pages emails. Users may think that copying the code from these sources is innocent, but in fact they are very dangerous exploits.
To test the new enough insidious attack, visit the PoC and copy-paste the harmless text into a terminal.
Read more details from the link below:
