NEVER Copy & Paste Commands from Webpages to Terminals

Published January 6, 2022 by .

You see it posted on a website and decide to copy & paste commands into your terminal window. Congratulations you just got hacked!

NEVER Copy & Paste Commands from Webpages to Terminals

We've all done it, regardless of if you are a professional or beginner, sysadmin or developer or just hobbyist. Nobody can remember all commands and switches for all platforms. We are constantly looking them up online and instead of typing we use the highly useful copy paste commands.

Whilst 99% of the time this is OK, there is a clipboard exploit which can be used to hack your system. This exploit involves intercepting the clipboard copy action to instead insert malicious code.

Without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.

This exploit takes the form of JavaScript and as such can be embedded in a malicious or compromised website, or it can be loaded by compromised browser extensions.

Copy and Paste Commands Exploit Example

Here is a (safe) example of how the clipboard intercept exploit can get you hacked.

Select and copy this command as if you were looking up the command to update Linux.

sudo apt update

Now, click into this text box and paste the command you just copied.

You should immediately notice two things. One, the text pasted is NOT what you copied. Far from it. Second, there is a carriage return (new line or enter key) at the end. Had this been pasted into a terminal window it would have pasted the command and hit enter. The command will run without any confirmation. You would not know about this hack until it was too late.

I have intentionally used a harmless command which will show a simple hardware listing should anyone paste it into a terminal. Attackers however could format your drives, reboot servers, download and install trojans or malware, open backdoors. Anything they want.

How is this exploit done?

Really simply with a few lines of JavaScript.

javascript
document.getElementById('copy').addEventListener('copy', function(e) {
  e.clipboardData.setData('text/plain', 'sudo lshw -short\n');
  e.preventDefault();
});

How to Protect Yourself

The easiest way to protect yourself is to first paste the command into notepad or similar text editor. You can then see if the pasted text matches what you intended to copy and then recopy that text into the command window. You should also only use commands from trusted sources, and if in doubt as to what the command is doing, check the documentation.

Comments

My website and its content are free to use without the clutter of adverts, tracking cookies, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

There are no comments yet. Why not get the discussion started?

We respect your privacy, and will not make your email public. Hashed email address may be checked against Gravatar service to retrieve avatars. This site uses Akismet to reduce spam. Learn how your comment data is processed.