Why You Should NEVER Copy & Paste Commands from Webpages

Can you get hacked by copying and pasting? Yes you can! This article shows you how, and what to do to prevent being hacked.

By Tim TrottPrivacy & Security • January 6, 2022
Why You Should NEVER Copy & Paste Commands from Webpages

We've all done it, regardless of whether you are a professional or beginner, sysadmin or developer, or just a hobbyist. Nobody can remember all commands and switches for all platforms. We are constantly looking them up online, and instead of typing, we use the highly useful copy-paste commands. You see a solution posted on a website and copy-paste commands into your terminal window. Congratulations, you just got hacked!

Whilst this is OK 99% of the time, there is a clipboard exploit that can be used to hack your system. This exploit involves intercepting the clipboard copy action to insert malicious code instead.

Without the necessary due diligence, the developer may only realize their mistake after pasting the text. At this point, it may be too late.

This exploit takes the form of JavaScript and, as such, can be embedded in a malicious or compromised website, or compromised browser extensions can load it.

Copy Paste Commands Exploit Example

Here is a (safe) example of how the clipboard intercept exploits can get hacked when you copy-paste commands.

Select and copy this command as if you were looking up the command to update Linux.

sudo apt update

Now, click into this text box and paste the command you just copied.

You should immediately notice two things. One, the text pasted is NOT what you copied; it is far from it. Second, there is a carriage return (new line or enter key) at the end. Had this been pasted into a terminal window, it would have pasted the command and hit enter. The command will run without any confirmation. You would not know about this hack until it was too late.

I have intentionally used a harmless command showing a simple hardware listing should anyone paste it into a terminal. Attackers, however, could format your drives, reboot servers, download and install trojans or malware, and open backdoors. Anything they want.

How is this exploit done?

Simple with a few lines of JavaScript.

javascript
document.getElementById('copy').addEventListener('copy', function(e) {
  e.clipboardData.setData('text/plain', 'sudo lshw -short\n');
  e.preventDefault();
});

How to Protect Yourself

The easiest way to protect yourself is to paste the command into Notepad or a similar text editor. You can then see if the pasted text matches what you intended to copy and then recopy that text into the command window. You should also only use commands from trusted sources. If you doubt what the command is doing, check the documentation.

Copy & paste commands into Notepad will remove any formatting associated with the web page, which may also affect commands entered into the terminal.

Related ArticlesThese articles may also be of interest to you

12 Top Tips for Cyber Security and Stay Safe Online
How Internet Security and SSL Works to Secure the Internet
What is CORS (Cross Origin Resource Sharing) and How to Configure?

CommentsShare your thoughts in the comments below

My website and its content are free to use without the clutter of adverts, popups, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

This post has only 1 comment. Why not join the discussion!

New comments for this post are currently closed.

    About the AuthorTim Trott

    Tim Trott is a creative photographer, traveller, astronomer and software engineer with a passion for self-growth and a desire for personal challenge.

    SocialsConnect with us on socials

    Latest PostsOur most recent writings

    Installing Unraid on the TerraMaster F4-424 NAS
    Installing Unraid on the TerraMaster F4-424 NAS
    Essential Windows Keyboard Shortcuts To Save You Time
    Essential Windows Keyboard Shortcuts To Save You Time
    What Is the Point of Daylight Saving Time?
    What Is the Point of Daylight Saving Time?
    How Right to Repair Could Revolutionize the Tech Industry
    How Right to Repair Could Revolutionize the Tech Industry

    You May Also Like

    What is Five-Eyes Surveillance and Why You Should Be Worried?
    What is Five-Eyes Surveillance and Why You Should Be Worried?
    Generate Strong Random Passwords - Secure Your Online Accounts
    Generate Strong Random Passwords - Secure Your Online Accounts
    Cookie Security and Session Hijacking in Web Applications
    Cookie Security and Session Hijacking in Web Applications
    What is CORS (Cross Origin Resource Sharing) and How to Configure?
    What is CORS (Cross Origin Resource Sharing) and How to Configure?