As an addendum, never install anything in a command line by piping the results of a curl command directly to the shell. This is disturbingly common. For example the standard Ruby Version Manager suggests you install it like this:
\curl -sSL https://get.rvm.io | bash
Donât do that, and if anyone asks you to do that, they should feel bad.
ha ha ha ha! Suckers!
I LOLed!
I am a Linux novice, but am aware of the possibility of easily hosing or unsecuring my system.
If I had to copy something off the web, I would paste it into a text buffer instead, to be sure of what it was. Pasted stuff could include even a return/enter character to run it automatically from a terminal.
Better yet, use the âmanâ command with your binary of choice as an argument, so you can learn what they are, what they do, and what arguments they accept. Then you are in a better position to know a bit about how your system works.
[quote=âFTFAâ]
Mark it with your mouse, copy it somehow (e.g. using CTRL+C) and paste it into a terminal. What happens?
[/quote]Since Iâm not on a Linux machine, I have no idea. It would be nice if TFA told us what it did without making us actually do it under the specific OS youâre not supposed to do that sort of thing onâŚ
If someone gives you a bad shell command, just do what I do and delete /etc. Works every time.
(In case itâs not obvious: Do NOT delete /etc unless you know what youâre doing and why.)
Also, for that matter, do not pour salt water into your computer or place your laptop in the microwave. Even if someone from technical support tells you to. Perhaps especially if so.
I just gave the links a quick glance, but the main attack vector seems to be text stings with partial obfuscation via CSS display props. (Hereâs one source)
Works fine against Windows, too. The linked Reddit thread covers some of that, but itâs a long wearisome threadâŚ
Iâm a fan of keeping a 7-bit editor handy to wash copy operations from web pages.
I paste into notepad as a habit cause windows likes to be âsmartâ on me and do fancy crap I donât want done with formatting which I never ever want.
buuut laaazyness! Also, if youâre copying code from a site that youâre pretty much running compiled software as root, youâre really only opening yourself up to some nasty XSS, but it is a good reminder to not just trust some strangerâs code. Recalling a script I wrote with a bunch of ârm -rfâ commands, you could get some interesting glitches by adding â-exec sed -i âs#/bin#\ /bin#gâ {} ;â to an overly inclusive find command.
I think itâs mostly Word. Iâve taken to writing in Notepad++ when I need to make something to paste into a webform.
Can we have the old web back?
With just text files, images, and links to other text files and images?
I thought this topic would just be a reminder not to run commands you donât understand.
But actually the article warns us about something that should not even be possible.
Uh, the tl;dr is wrong; this has nothing to do with JavaScript.
I was thinking of writing an endorsement of an Oh-My-Zsh plugin, safe-paste.
Then I remembered that the way the Oh-My-Zsh people recommend installing Oh-My-Zsh is with wget or curl, piped through sh.
And thatâs not much different from how Oh-My-Zsh updates itself.
Suddenly, I donât feel like Oh-My-Zsh is so clever.
Seconded - the TL;DR should talk about shell commands, not Javascript. This particular exploit doesnât involve Javascript.
And nothing is being automatically executed here; the end user is explicitly pasting commands into a terminal in this scenario.
This exploit doesnât work if you arenât allowing scripts by default. Which Iâm not. So, problem solved in 0 easy steps.
There is a similar problem with web links. Some sites will have a link that you think is directly taking you to the target site, but it is actually wrapped in a tracking web site like viglink full of information about who you are and where you came from.
As if they could possibly understand! XD
I was suspicious of this too. I wasnât under the impression that clipboard contents were executed or interpreted.
wait what? this is a joke right?
if serious, on what os? which javascript engine is running it from the clipboard? the linked to clever fellow explanation says no such thingâŚI program javascript all day and cut and paste javascript like a champ, nothing ever runs. Iâll assume this is just a joke and Iâm not getting the humor.
nothing should ever run from the clipboard directlyâŚunless you have the worlds worst clipboard extension installed.
This LINK talks about clipboard poisoningâŚwhich still doesnât execute automatically from the clipboard, rather it changes the clipboard content from what you think you copied to something less desirable. You still have to paste it into a terminal to execute.
