Why You Should Never Rashly Copy Commands From Websites

Why You Should Never Rashly Copy Commands From Websites

But there is a huge problem: copying text on a website can be exploited extremely easily with JavaScript. JavaScript can react to the press of “copy” or the key combination and write something into the clipboard on its own — completely independent from the text we actually wanted to copy.

Yesterday I saw something on Reddit that shocked me.

We all do it almost every day — we look for something on the internet, find a website, copy terminal commands, and other things directly from the site.

Then we paste them directly into the terminal to install things, write code or make configurations.

*But there is a huge problem: *copying text on a website can be exploited extremely easily with JavaScript.

JavaScript can react to the press of “_copy_” or the key combination and write something into the clipboard on its own — completely independent from the text we actually wanted to copy.

This can cause us to paste commands into our terminal that we did not want.

Even bigger is the problem that depending on the command we insert, we don’t even have to confirm the execution by pressing enter.

If the command contains a new-line \n, it will be executed immediately when we insert it into the terminal.

Here you can see an example:

bash command gets executed instantly

Source: the author

You can try it out for yourself here.

As you can see, I just paste the copied code, and it will be executed immediately.

If you already have root privileges in the session at this point, almost anything is possible. A single command that you don’t expect can destroy important files or install software and execute it immediately.

I have tried it on a Windows PC & MacBook — in Firefox, Safari, Chrome & Opera. It works everywhere — no matter if you click on copy in the context menu or use the key combination.

Here is how easy it is

As already mentioned, the whole thing works with JavaScript. We can react individually to the copy event in the browser. JavaScript can suppress the standard reaction (i.e., the copying of the actual text). As you know, it is also possible to save to the clipboard with code.

Combining both provides the exploit.

With document.getElementByIdwe select the element for which we want to intercept and manipulate the copy event. First, we add the event listener to the copy-event.

Then we call a function to save text to the clipboard.

Finally, we block the default event, which the browser would execute — the non-manipulated copy to the clipboard works without JavaScript.

That the browser copies the text itself is now suppressed.

javascript hacking web-development website security

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

7 Security Risks and Hacking Stories for Web Developers

Top 7 security concepts 🛡️ and hacking stories for Web Developers 🎭 that every JavaScript developer should know about: Zero-day, Vulnerable packages, XSS, SQL Injection, Credential Leaks, Principle of Least Privilege, DDoS

Why Web Development is Important for your Business

With the rapid development in technology, the old ways to do business have changed completely. A lot more advanced and developed ways are ...

Important Reasons to Hire a Professional Web Development Company

    You name the business and I will tell you how web development can help you promote your business. If it is a startup or you seeking some...

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Hire Dedicated eCommerce Web Developers | Top eCommerce Web Designers

Build your eCommerce project by hiring our expert eCommerce Website developers. Our Dedicated Web Designers develop powerful & robust website in a short span of time.