Security researcher Dylan Ayrey published a new method last week hacking, που ονομάζει Pastejacking και χρησιμοποιεί Javascript σαν μέσο επίθεσης.
The Pastejacking attack works in the same way as an older CSS attack but with Javascript, which makes it much more effective.
JavaScript is much more powerful language programming and much more flexible than CSS. With the older method that used CSS the user had to copy-paste the entire malicious text, while with Javascript there is no need to select the entire text.
Copying a single character is enough!
In theory, an attacker could add a malicious code of Rastejacking Javascript from an entire page when it makes a paste even for something very small in a terminal. That way he could run that orders he wants without knowing anything.
Dylan Ayrey posted a demo where the attacker runs his malicious code, cleans the clipboard of the victim, and then adds the code that the victim had copied, making them believe that nothing happened.
Η επίθεση μπορεί να είναι γίνει πολύ επικίνδυνη ειδικά αν γίνει μέσα από σελίδες τεχνικής υποστήριξης ή phishing emails. Οι χρήστες μπορεί να πιστεύουν ότι είναι αντιγραφή του κώδικα από αυτές τις πηγές είναι αθώα, αλλά στην πραγματικότητα να είναι πολύ επικίνδυνα exploits.
To test the new enough insidious attack, visit the PoC and copy-paste the harmless text into a terminal.
Read more details from the link below: