Why You Should NEVER Copy & Paste Commands from WebpagesCan you get hacked by copying and pasting? Yes you can! This article shows you how, and what to do to prevent being hacked.
We've all done it, regardless of if you are a professional or beginner, sysadmin or developer or just a hobbyist. Nobody can remember all commands and switches for all platforms. We are constantly looking them up online and instead of typing we use the highly useful copy-paste commands. You see a solution posted on a website and decide to copy-paste commands into your terminal window. Congratulations you just got hacked!
Whilst 99% of the time this is OK, there is a clipboard exploit which can be used to hack your system. This exploit involves intercepting the clipboard copy action to instead insert malicious code.
Without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.
This exploit takes the form of JavaScript and as such can be embedded in a malicious or compromised website, or it can be loaded by compromised browser extensions.
Copy Paste Commands Exploit Example
Here is a (safe) example of how the clipboard intercept exploits can get you hacked when you copy-paste commands.
Select and copy this command as if you were looking up the command to update Linux.
sudo apt update
Now, click into this text box and paste the command you just copied.
You should immediately notice two things. One, the text pasted is NOT what you copied. Far from it. Second, there is a carriage return (new line or enter key) at the end. Had this been pasted into a terminal window it would have pasted the command and hit enter. The command will run without any confirmation. You would not know about this hack until it was too late.
I have intentionally used a harmless command which will show a simple hardware listing should anyone paste it into a terminal. Attackers however could format your drives, reboot servers, download and install trojans or malware, and open backdoors. Anything they want.
How is this exploit done?
Really simple with a few lines of JavaScript.
document.getElementById('copy').addEventListener('copy', function(e) {
e.clipboardData.setData('text/plain', 'sudo lshw -short\n');
e.preventDefault();
}); How to Protect Yourself
The easiest way to protect yourself is to first paste the command into Notepad or a similar text editor. You can then see if the pasted text matches what you intended to copy and then recopy that text into the command window. You should also only use commands from trusted sources, and if in doubt as to what the command is doing, check the documentation.
Copy & paste commands into Notepad will also remove any formatting associated with the web page which may also affect commands entered into the terminal.
