Pastejacking: using malicious javascript to insert sneaky text into pasted terminal commands


#1

[Read the post]


#2

Pastejacking:

Had an awful roomie that used to do that.

[note sarcasm]


#3


#4

The default Mac terminal warns users when they’re pasting commands that have a carriage return, and gives them the option of removing it. This seems like a good countermeasure to me

Won’t do much about simicolons or the other fun methods to make one-liners, but I guess it does help prevent it from just running… so long as you haven’t seen too many of those warnings and just gotten used to bypassing it.

On the bright side, this is at least more preventable than the old “mess with someone using voice commands by shouting ‘rm -rf /’”. Easiest thing is to copy any command first into a text editor before running it. And after all, you ought to be documenting what commands you’re running so you can refer back to it later… right?

There’s a very old joke that one of the last things you want to hear from your sysadmin is “I found these instructions on the internet. Let’s run them and see if it works…”


#5

There is a simple workaround: ctrl+c the text on the website, then ctrl+v onto a text file, to make sure you are really getting what you intend. Then copypasta from the text file into your terminal. It isn’t the most elegant workaround, but it’s one that I already use when I’m copypasta-ing text from a website or PDF into a word document or something similar where it will try to copy all the formatting, font, etc., and I only want the text itself.


#6

This is a good strategy for links in emails or anywhere else you can’t mouseover to preview the URL.

Plain text and bare bones text editors do not get enough love, from regular folks. I know the hardcore love them, and have religious wars about which is superior.


#7

I habitually do that as well. Even tho current incarnations of M$w0rd have a format stripper built into CTRL+V options, which will keep, strip or merge formatting.

I still use notepad on M$ to both strip any errant formatting and to cut it up for later use. In all my years, I have never CTRL+C -> CTRL+V a console command. That just begs to have yourself p0wnd - click and clipboard hijacking predates CSS by quite some time, as long as there has been a clipboard, there have been ways to abuse it. CSS just gives some a layer of abstraction to make things like this easier to write.


#8

The FA discusses the possibility of embedding vim macros that execute malicious code in pastebombs, specifically to attack this countermeasure.


#9

just a heads up: javascript copy and paste hijacking predates the css trick and was discussed in some length in the last thread on this subject.


#10

Just have to tell users to pipe the output of curl from an http source to bash to avoid the risks of cut/paste.


#11

That’s why you should always use pico.


#12

Which is why you should always use nano. :wink:


#13

Let’s not unleash another pico vs nano text editor holy war.


#14

I was enjoying Sarah Jeong’s reporting on the Google v. Oracle lawsuit yesterday (and everyone else should be following her take as well, methinks), and at some point the court requested reading materials be made available to the jury. But when I say “reading materials”, I mean, among other things, the source code of java.

just gonna let that settle in a touch

It’s only like 15 million lines of code, but whatevs.

also, nano is clearly the best. I mean, nobody even knows wtf emacs is


#15

I’ve been following Sarah Jeong’s reporting for a while, her play-by-play on Google v Oracle’s been great. Sadly, her article about the foundering nerds in the trial that got posted here was badly misunderstood in the comments.

emacs is hard to define since it’s not so much a text editor as a different undefinable thing. nano is fairly good, except that it’s not the best editor: pico.


#16

You should checkout PureText.

Just copy/cut whatever you want to the clipboard, click on the PureText tray icon, and then paste to any application. Better yet, you can configure a hot-key to convert and paste the text for you. The pasted text will be pure and free from all formatting.

I’ve been using it for years.


#17

At least it would be a small war.


#18

On a Mac you can do shift-opt-cmd-v to paste without formatting, though it’s not a very easy key combo.


#19

BECAUSE WE ALL KNOW THAT EMACS IS THE ONE TRUE

that cover is so awful


IN B4


#20

Nonsense. It’s a pre-GUI environment that also happens to be a text editor. Or: It’s a spatula, a can opener, and a waffle iron.