Security researcher Dylan Ayrey published a new method last week hacking, which he calls Pastejacking and uses Javascript as a means of attack.
The Pastejacking attack works in the same way as an older CSS attack but with Javascript, which makes it much more effective.
JavaScript is a much more powerful programming language and much more flexible than CSS. With the older method that used CSS o user he had to copy-paste the entire malicious text, whereas with Javascript he doesn't have to select the entire text.
Η copy one character is enough!
In theory, an attacker could add a malicious code of Rastejacking Javascript from an entire page when it makes a paste even for something very small in a terminal. That way he could run that orders he wants without knowing anything.
Dylan Ayrey has released a demo where the attacker runs his malicious code, cleans the victim's clipboard, and then adds the code that the victim copied, making him believe that nothing happened.
The attack can be very dangerous especially if it is done through pages techniqueof support or phishing emails. Users may think that copying the code from these sources is innocent, but in fact they are very dangerous exploits.
To test the new enough insidious attack, visit the PoC and copy-paste the harmless text into a terminal.
Read more details from the link below: