Don't copy-paste commands from webpages — you can get hacked

Wow!! copy/paste from web pages, which I do a lot of especially in Linux, is going to be a tough habit to break.

EDIT

there is this:

https://www.wizer-training.com/blog/copy-paste

Also I noticed on my Linux clipboard:



...it copies both the malicious text and harmless text, so this could allow an audit and selection of the harmless entry only.

 

I think that commenting isn't bulletproof, because I saw that multiline copy-paste can make comment only apply to first line.
However I tested copy-pasting in two browsers (Vivaldi, Firefox) and Firefox for some reason seems to be immune to attack.

Best way to prevent it is probably to have some intermediate program like notepad to proxy clipboard content.

 

The malicious test code was not copied to the clipboard from Firefox?

EDIT

just found out about this FF flag:

dom.event.clipboardevents.enabled ..change to disable.

 

Any time I copy/paste I go to Notepad first and paste it there. This removes any formatting that is not plain text and if the text doesn't match at all it will be quite obvious. Once it looks the way you want it to in Notepad (or your text editor in Linux) copy and paste from there.

 

I would never copy/paste direct from a webpage into the Terminal.

 

Good plan that you and @reasonablePrivacy suggest I've disable the preference "dom.event.clipboardevents.enabled" in Firefox and that prevents the malicious code too. So there seems to be:

1. copy to text editor and audit
2. copy to clipboard and audit
3. count on the disabled Firefox preference

 

4. https://www.tenforums.com/tutorials/113963-turn-off-copy-paste-application-guard-microsoft-edge.html

Check if it works for you using an OS higher than Home.

 

I'm both too lazy and can't be bothered to try. I'm sure it works, but I don't want to disable copy/paste, because i use it fairly often, although mostly in Linux, and the methods discussed above should be most suitable and secure.

 

Yeah, disabling copy/paste is more extreme than I want to go.

 

Confirmed.



I always have that about:config dom.event.clipboardevents.enabled preference set as false.
I see it's also metioned in comments, by Mr. Chip,
"In firefox's about:config section you can disable dom.event.clipboardevents.enabled to avoid this nasty problem."
https://www.wizer-training.com/blog/copy-paste

 

PoC didn't work here.
'dom.event.clipboardevents.enabled' is already set to 'false'.

In Linux, I usually paste selected text by middle-clicking in editor or terminal and then the PoC didn't work when 'dom.event.clipboardevents.enabled' set to 'true'.

The original source of all this: http://thejh.net/misc/website-terminal-copy-paste (2013).

 

I have the Copy PlainText add-on install with Firefox. Select "sudo apt update", right-click, select Copy PlainText from the context menu, 'udo apt update' goes to the clipboard.

I set "dom.event.clipboardevents.enabled" to false, it works, "sudo apt update" went to the clipboard. I will be adding this to my user.js file.

 

Another test using the same test command from here:

https://www.wizer-training.com/blog/copy-paste

I used latest Edge-beta in Linux MX-21 to copy the test command and paste it into Konsole terminal. The first screen shot is all that happened; the malicious code pasted, but it did not execute automatically. Only after I manually hit the <Enter> key did the malicious code run, as seen in the second screen shot.

 

Or using a clipboard manager which captures the clips as plain text would do the same. Right?
This seems to me more comfortable as I do not have to use every time an intermediate text editor like Notepad.

It obviously has a similar function like an appropriate add-on:

 

Right, which I listed as #2

 

Maybe. Depends on what that plain text is that goes to the clipboard. JavaScript code is plain text. A Carriage Return is plain text. If the plain text amounts to what you see then sure. If it still picks up code then no.

 

i always do it @xxJackxx 's way. first paste it to notepad and then copy again.

 

Thanks, @wat0114 and @xxJackxx.

I have one more, perhaps silly but basic question:

The dangers described in this thread respectively in the linked articles exist when "copying-pasting commands from web pages into a console or terminal" (article of posting #1). And corresponding in the other article (posting #2): "This is why you should NEVER copy paste commands directly into your terminal."

That means the copying-pasting of a "normal" text (e.g. a sentence from an online newspaper or a forum) - typically to save it in a .doc-file for future reading - does not belong to this dangerous category and can be done without the discussed safety precautions? Is this correct?

 

I guess there are two answers to this.

1. You can't really know if what you are copying, even if it's from an online news article, is actually harmless text or malicious code.

2. If you paste into a word or text document and save it as such with .doc or .txt extension for example, I think it is safe.

That's how I understand it but I could be missing something.

 

I think a lot depends on were you are getting the copy from. For example a forum code block. Seems that sould be fairly safe. That said I generally never copy and paste anything from a web page directly in to a terminal, especially as root.

 

Also from 2013, https://security.stackexchange.com/...tect-myself-from-this-kind-of-clipboard-abuse

 

If it is just text it should be fine. Word is capable of running malicious code but I haven't previously looked into whether or not this can happen from pasting the clipboard contents into it. Notepad or a similar text editor would be a safer bet until you see the actual content.

 

Thanks for your explanations, @wat0114, @chrisretusn and @xxJackxx.

 

No problem, although I admit this is a threat I never took notice of before. Many, many times I copy/pasted commands into Linux terminal with no consequence. Based on some experimentation, the threat actually seems a bit blown out of context - what else is new with these types of articles. No auto-execute of the script in my case at least, and I did nothing to change the behavior of the terminal.