back to article Pastejack attack turns your clipboard into a threat

Once, you could use HTML/CSS to manipulate the clipboard, but it was not a good way to do so. Now a security bod has worked out how to do it in JavaScript and reckons it's a lot more dangerous. At first glance, it looks like purely a stunt-attack, except for this: a phishing e-mail purporting to be from tech support could …

  1. Shadow Systems

    I think I'm safe, buuuut...

    My browser is set to not do any scripting of any kind, not browse across domains, not to allow any copy+paste or drag & drop, & generally gives The Finger to most sites trying to pull anything funny.

    The "Trusted" sites only get those options set to "Prompt for permission", so if they've caught me in a bad mood then I won't let THEM do it either.

    So if I have to try & copy+paste a malformed bit o' JS to trigger this particular exploit, then the fact that my browser refuses to run them at all should keep me fairly safe, right?

    I hope so, I'm getting right fekkin sick of this shite. You can't browse the web without encasing your computer in a steel belted condom, else you might as well just post all your personal details to Reddit & be done with life.

    =-(

    1. waldo kitty
      Facepalm

      Re: I think I'm safe, buuuut...

      from what i've read and understand it ain't the browser doing the executing... it is the clipboard but then again, it takes the originating app to put the data into the clipboard so it could be the browser, or word processor or even the command interpreter...

      1. Clive Galway

        Re: I think I'm safe, buuuut...

        It is done in the browser. The exploit is javascript.

        https://github.com/dxa4481/Pastejacking/blob/master/index.html

        1. Sir Runcible Spoon

          Re: I think I'm safe, buuuut...

          Ever since Micro$hite stuffed embedded codes in Windows (which is a fair while ago) I developed the habit of pasting everything into a text editor first to strip it of any formatting etc. before copying and pasting again into another document.

          Goes all a bit awry if you don't :)

    2. Flocke Kroes Silver badge

      Re: I think I'm safe, buuuut...

      Completely safe if you have turned off javascript, and probably for other reasons too.

      The article mentions something about copying with ctrl+c. Click and drag to select and middle click to paste have been standard in X since I was a PFY. The behaviour is so consistent that I had to ask for help when I was stuck with Windows for a few minutes. I have seen Windows style somewhat consistent keyboard shortcuts for copy and paste in Unix software either to make Windows user feel at home, or as pointless cruft in portable applications. Click and drag puts the selected text in the paste buffer, so my browser has no keyboard short cut for copy. It does understand shift+<cursor movement> to select, shift+delete to delete and shift+insert to put back, but those only work in text boxes, and do not use the paste buffer.

      Someone brave enough to enable javascript could test to see if the code really required a key press, and if it can find the one used for copy (if it even exists).

      For this attack to work the attack page needs enough social engineering to get a user to find and press the copy button, then paste into a shell instead of a text editor. A Unix text editor is the ultimate defence against this sort of attack. No-one can escape from vi.

    3. Anonymous Coward
      Anonymous Coward

      Re: I think I'm safe, buuuut...

      Somewhere in Mekonta:

      "Hmm, '...steel belted condom...'. Minion! Include magnets in the next payload."

  2. JeffyPoooh
    Pint

    Backspace packing

    Within many environments, the user display will dutifully obey the backspace character (ASCII 8), even embedded within the script or code. So by packing in some ASCII backspaces (using a routine to replace a placeholder character with ASCII 8), actual code can be hidden 'beneath' the backspaces, and decorative fake code can be displayed (after a hidden REM).

    A BASIC example (from ~33 years ago):

    10 PRINT "Yes!"; REM ^h^h^h^h^h^h^h^h^h^h^h "No!"

    LIST

    10 PRINT "No!"

    RUN

    Yes!

    By this means, what is apparently listed and what is actual hidden code can be perfectly independent. The only clue might be the file size, if they're paying attention and counting characters.

    Any environment that obeys the backspace is vulnerable to this mischief.

  3. Chemist

    This ( at the moment) appears to need the user to use the keyboard shortcuts. Certainly on my OpenSUSE desktop using a variety of browsers highlighting the text and then right-click - copy doesn't invoke the 'attack'. Given that you probably used the mouse to highlight the text it will be quicker to use the mouse at that point to copy.

    Still quite a warning about Javascript.

    1. Just Enough

      Not 100% successful

      It's totally reliant on the user using Ctrl+C to copy. What text you have highlighted makes no difference. Ctrl+C anywhere on this page gives you "evil".

      But if the user is in the habit of copying by either using the top menu or right-click context menu, it doesn't work.

      1. Swarthy

        Re: Not 100% successful

        Ctrl+C, or any other keystroke on that page. It's not checking for copy, it's checking for a keypress.

  4. Anonymous Coward
    Anonymous Coward

    Or there's this one -

    A while back, I came across this one on a 3-year-old reddit thread Don't Copy-Paste from Website to Terminal

    Similar risk, but without the need for javascript. Though it is probably more obvious in action, unless you're not paying attention.

    1. Anonymous Coward
      Anonymous Coward

      Re: Or there's this one -

      I suppose the trick would be, if you have to cut/paste, to paste into a (sufficiently dumb) editor first...

      1. Anonymous Coward
        Anonymous Coward

        Re: Or there's this one -

        Yep - that's what I do.

      2. BarryUK

        Re: Or there's this one -

        .. or, in this case if you do the copy by right-clicking and selecting 'Copy' from the menu then the exploit does not work. The script only works for Ctrl-C

  5. Aslan

    Dangerous

    I'm surprised the command line in windows respects the return key, that would seem to be a dangerous mistake. Changing text copied to the clipboard is nothing new, I've seen it for years, on more than three different site, usually it's just an attribution as to where the material is from, but sometimes it's been nastier, trying to get me to subscribe to a publication, or a random ad for something else entirely is the worst I've seen.

    Still I was smugly thinking to myself, I'd never copy text from the internet to a command line, except, no, actually I have. I played with several Hackintoshes, until I realized as nice as OS X was I wasn't going to pay through the nose to be a customer and Apple didn't want me as one. Their hardware's lovely, but why can't they put out anything affordably priced for the spec? Then I remembered trying to get Linux to work. Everything's fine, and each time you try it it looks like they really have made it into a functional OS this time that one could get day to day work done on, and then you run into that essential piece of hardware you need, that simply won't function, but it's kindof like this other one, so maybe if you download this development software and a compiler you could compile your own driver and get it working. Of course you can't do any of this graphically Linux programmers are fucking machoists that love obscure commands and flags. And sometimes there's a guide that almost does what you need, but it's incomplete or you need another version of a program and Linux is simply fucking hell. And yes I've copy pasted commands from the internet into a terminal as root in Linux, although only reviewing them so that I had a fair understanding of them.

    Thus the only way I've found to get a functional Linux system is buy it from a system integrator who charges a premium for a working system, System 7, Dell, or one can waste their time obsessing over every little component of the system and ensuring it has bonified open source 'cred, or simply run it in a VM on Windows. In such cases Linux can be reasonably pleasant and functional.

    So in short I could have fallen victim to this attack. Now I'll know to copy and paste everything to a simple text editor such as Notepad in Windows, which at least with the example, shows me the attack version.

    1. Chemist

      Re: Dangerous

      "Thus the only way I've found to get a functional Linux system is buy it from a system integrator who charges a premium for a working system, System 7, Dell, or one can waste their time obsessing over every little component of the system and ensuring it has bonified open source 'cred, or simply run it in a VM on Windows. In such cases Linux can be reasonably pleasant and functional."

      WHAT ! - have you traveled in a time-machine from the early 90's ?

      For years before I retired ( and that was eight years ago) I was using a company supplied workstation running RedHat for all my scientific computing. In parallel I've been using Linux at home since the beginning and exclusively since ~2006. I don't recognize the scenario you present. Sure if you have an obscure bit of hardware that may be a no-no. But even in 2004 I was using hardware stereo graphics under Linux with an extremely expensive graphics card/LCD specs.

    2. Steve the Cynic

      Re: Dangerous

      "Then I remembered trying to get Linux to work. Everything's fine, and each time you try it it looks like they really have made it into a functional OS this time that one could get day to day work done on, and then you run into that essential piece of hardware you need, that simply won't function, but it's kindof like this other one, so maybe if you download this development software and a compiler you could compile your own driver and get it working."

      I had something like this with Linux. ONCE.(1) And it was nearly 20 years ago. Since then, real hardware or not, I have had no such problems.

      (1) OK, I'll tell you, since you insist. It was a PCMCIA Ethernet card, allegedly an NE2000 clone, by some cheap-ass Taiwanese outfit. The laptop in question, on a different hard disk, ran Windows 98SE, and that OS was perfectly(2) happy with the card. The relevant driver code in the Linux kernel checked the device IDs and such, realised that it was talking to that particular card, and refused to have anything to do with it as the silicon was too buggy for words. The conflict between the two attitudes was a bit startling.

      (2) Well, no, probably not perfectly happy. More likely "sufficiently" happy. Better?

  6. nsld

    Interesting

    SaaS tech support will often ask for trace routes to look at issues connecting to services so using a spoof tech support email as cover is a clever tactic.

    Worse part is that even if it doesnt auto run the non tech savvy end user will probably run the changed code anyway.

  7. Paul Woodhouse

    damn, that's sneaky and scarily a little obvious.

    can see many many scenarios on 'nix user help websites where that could be used to "evil" effect..

    1. VinceH

      More worryingly, would it be possible to read the clipboard rather than write/alter it? I'm thinking long passwords stored in a password manager, which users copy and paste into password fields; if reading is possible (and the ability to write/change it suggests it would be), then a dodgy bit of Javascript brought in with a dodgy advert could be a way to nab such passwords.

      [Hugs NoScript, just in case]

      1. Robert Carnegie Silver badge

        Apparently yes

        http://www.dpriver.com/pp/sqlformat.htm is an online service to make SQL more readable[*]. It provides a "Copy to clipboard" button - and using that produces a message saying that I'm also giving it permission to READ the clipboard. Oh, and I'm also giving a stranger some SQL program that I wrote with my own hands. (The program's owner is my boss, though, so I don't much care if it's stolen by sinister Eastern European database engineers.)

        It's useful, probably legitimate - maybe, and probably honest - maybe.

        It seems to say "Copy Successful!" even when it isn't. I think my browser is lying to the web site. At least the browser is on my side today.

        I think Notepad++ also comes with a desktop SQL formatter, but my boss says we can't afford to get Notepad++ (it's free).

        [*] Feed it this:

        select a, b, c from someTable

        Much more readable now! :-)

  8. Santa from Exeter

    Variable results

    Using Linux (RHEL6) and Firefox, if I highlight the code, then middle click to paste I see "not evil" both on the command line and in Vim, if I use KNotes and create a new note from the clipboard I get 'evil'

  9. Graham Marsden
    Coat

    If you worship the Flying Spaghetti Monster...

    ... would that be PastaJacking?

    (Mines the coat and the colander...)

  10. LeeH

    Clever Evil Application of a Really Obvious Copy/Paste Trick

    This is the same as appending a website URL or copyright notice attribution to copied text. Not a huge leap from that to applying it to commands intended to be pasted directly into a terminal. Clever idea.

    Simple defence: Paste into a text editor before pasting into a terminal in a GUI environment. I've always done this when pasting code into a terminal but only because commands sometimes execute before I've pressed the return key and that annoys me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like