Security researcher Dylan Ayrey published a new hacking method last week called Pastejacking and uses Javascript as a means of attack.
The Pastejacking attack works in the same way as an older CSS attack but with Javascript, which makes it much more effective.
JavaScript is much more powerful programming language and much more flexible than CSS. With the older CSS method, the user had to copy-paste the entire malicious text, and Javascript does not need to select the entire text.
Copying a single character is enough!
In theory, an attacker could add a malicious code of Rastejacking Javascript from an entire page when doing a paste of even something very small in a terminal. That way he could run that commands wants without anyone understanding anything.
Dylan Ayrey posted a demo where the attacker runs his malicious code, cleans the clipboard of the victim, and then adds the code that the victim had copied, making them believe that nothing happened.
The attack can be very dangerous especially if it is done through technical support pages or phishing emails. The users μπορεί να πιστεύουν ότι είναι αντιγραφή του κώδικα από αυτές τις πηγές είναι αθώα, αλλά στην πραγματικότητα να είναι πολύ επικίνδυνα exploits.
To test the new enough insidious attack, visit the PoC and copy-paste the harmless text into a terminal.
Read more details from the link below:
