By Pankaj Rane - April 30, 2018
The easiest method to obtain any text and images from a website is to select it, copy it and paste it.What if the pasted material is not what you copied from the website? Surely, you’ll copy-paste again, and the results might be the same. It’s risky, and we’ll talk why.
A quick example is that you copy a command from a website and paste it on the console. It turns out the command was changed, and this damages your data. Is it something wrong with the way you copy paste? Or is it something malicious? Here comes Pastejacking into the picture. The attack is not the latest one but it surely has gained attention these days due to some hacks.
What is PasteJacking?
Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and change its content to something harmful without your knowledge.
Nearly all browsers allow websites to run commands on the users’ computers. This feature can allow malicious websites to take over your computers’ clipboard. That is, when you copy something and paste it to your clipboard, the website can run one or more commands using your browser. The method can be used to change the Clipboard contents. While it may not be much dangerous if you are just copying to Notepad or Word etc., it could be a problem for your computer if you paste something directly to the Command Prompt.
For example, someone looking for advice on windows cmd.exe commands could copy and paste the code found in articles online tutorials or forums, but the malicious person behind that site could attach dozens of lines of malicious code malware that are downloaded from a source and are installed on your computer online. All this can happen silently, without the user noticing anything.
In fact, for Linux users, this happens much more so when they want to copy everything from the site and paste it into their terminal, and then they use it very quickly without revising the "Enter" button; their chances of hacking are very high.
Here is a demonstration of a website that attracts a user to copy an innocent looking command.
The demonstration site is credo by a security researcher web page.
If a user tries to copy text with keyboard shortcuts, i.e; Ctrl+C or Command+C, 800 ms timer establishes that will override the user’s clipboard with malicious code.
Echo “not evil” is replaced with echo “evil”\n
Note the newline character is added at the end of the line. When a user goes to paste the command in the terminal echo, “evil” it is automatically displayed on the screen without giving the user the opportunity to review the command before running.
Touch~/.evilclearecho “not evil”
The command will create an “evil” file in your home directory and clean the output terminal. The victim appears to have intended to copy the command in the terminal.
This method can be combined with phishing attacks to lure users to execute commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal.
How you protect yourself from PasteJacking Attacks?
If you are an OS X, you can use the iTerm emulator for safety. It will prompt you in case pastejacking happens with already appended Enter set of characters.
Windows users need to check what is placed into your computers’ clipboard. To do this, first, paste the contents into the Notepad. It pastes clipboard as text only and lets you see what is there on the clipboard. If you see what you copied, you can go ahead and paste it wherever you want. It means an additional step but is better than getting Pastejacked. Remember that using Word to check clipboard may be dangerous as it too is programmable using macros etc.
Remember that using Word to check clipboard may be dangerous as it too is programmable using macros etc. Notepad is not programmable and hence is safe to check the contents of the clipboard. Of course, you will not see the format, fonts, and styles, etc. as the contents are pasted as plain text.
For images, right-clicking and selecting “Save As” is better than using the “Copy” command.