Security researcher Dylan Ayrey published a new hacking method last week called Pastejacking and uses Javascript as a means of attack.
The Pastejacking attack works in the same way as an older CSS attack but with Javascript, which makes it much more effective.
JavaScript is a much more powerful programming language and much more flexible than CSS. With the older method that used CSS o user he had to copy-paste the entire malicious text, whereas with Javascript he doesn't have to select the entire text.
Η copy one character is enough!
In theory, an attacker could add a malicious code of Rastejacking Javascript from an entire page when it makes a paste even for something very small in a terminal. That way he could run that orders he wants without knowing anything.
Dylan Ayrey posted a demo where the attacker runs his malicious code, cleans the clipboard of the victim, and then adds the code that the victim had copied, making them believe that nothing happened.
The attack can be very dangerous especially if it is done through technical support pages or Phishing emails. Οι χρήστες μπορεί να πιστεύουν ότι είναι αντιγραφή του κώδικα από αυτές τις πηγές είναι αθώα, αλλά στην πραγματικότητα να είναι πολύ επικίνδυνα exploits.
To test the new enough insidious attack, visit the PoC and copy-paste the harmless text into a terminal.
Read more details from the link below: