
Pastejacking - borski
https://github.com/dxa4481/Pastejacking
======
cryptoz
There are many news sites that make it extremely hard to share their content
on sites like HN or reddit because of these tricks. I wonder if they are
actually losing traffic from it, or if their tactics work? I'm referring when
you copy the text in the title of an article to try to paste it into the Title
box on HN or reddit. But what you 'paste' is actually a huge paragraph about
how great the news website is and how you should download their apps and read
more on their website. At that point, I can't be bothered to clean it up and I
refuse to type out some text that I should have been able to copy.

Does it really work? Do sites actually get more traffic by hijacking your
keyboard's basic functions to insert advertisements? I guess it probably does.
:(

~~~
dawnerd
I had to implement this kinda code when I worked for Demand Media and it
certainly worked. Whats funny is you don't need any fancy new apis to make it
work. We were doing some pretty basic tactics actually. Only real way to
prevent it is disable javascript.

~~~
mrfusion
You should have refused

~~~
cpach
Moralizing about dawnerd’s employment doesn’t really add to the discussion,
IMHO.

~~~
nitrogen
A new discussion of the ethics of software engineering might be valuable.
Other professions have codes of ethics; maybe it's time for software, too.

~~~
jlgaddis
cf. ACM Code of Ethics and Professional Conduct: [https://www.acm.org/about-
acm/acm-code-of-ethics-and-profess...](https://www.acm.org/about-acm/acm-code-
of-ethics-and-professional-conduct)

~~~
nitrogen
I like most of the ACM code. I think it could use an update with more direct
prohibitions on modern forms of user harm, such as trading in private
information and manipulating search results to promote low quality sites.

------
landhar
Why do browsers not require explicit user permission before allowing a site to
perform clipboard manipulations? In a similar tashion to how the HTML5 geo-
location API is opt-in?

~~~
Unklejoe
On a somewhat related note: why do browsers allow websites to prevent you from
leaving via those annoying dialog boxes that ask you to click "cancel" or
"leave"?

~~~
zbuttram
I have seen sites that have pages where you're placed in a queue (for whatever
reason) and if you leave the page you will be dropped from the queue, so it's
nice to have something preventing you from accidentally leaving, but that's
the only legitimate use I can think of.

~~~
atishay811
Websites can find better solutions if we kill this annoying feature. We have
local storage in all browsers. Rather than prompting why not save it and
recover when the user comes back. The users will always prefer this. It saves
data even when the website crashes or the connectivity is lost and there is
some important data on the page. Why have a feature that is abused more often
than used especially there is no case where it is the only/best solution.

~~~
rtpg
It's not always that clear. If I leave a page, how is one to know whether that
was intentional or not?

If it's intentional, you don't want to pull the data back up (people want a
"fresh copy")

If it's not intentional, you do want to pull the data back up.

Though of course you can make something like a "New Copy" button, but then
that presents its own challenges.

~~~
ozi
That no longer makes sense unless it isn't feasible to preserve the change
history along with current state...

------
Mahn
For the record you don't actually need to depend on new APIs like
"document.execCommand('copy')", simply shifting focus to an off-screen textbox
area when ctrl is down will do the trick in 95% of the cases, with full cross
browser compatibility.

~~~
Houshalter
Most people copy text with right click, which would be unaffected by that.
Also mobile browsers.

~~~
Mahn
I don't know that most people do that, but right click and mobile seem to
bypass OP's method as well.

------
hoodoof
So I copy a command off a dodgy website, hit paste in my terminal, and a
command drops which runs a shell script that downloads a rootkit, logs me out
and clears the screen leaving me thinking that some weird glitch has happened
but all it OK - is that the sort of scenario we are talking?

~~~
saganus
Although what you propose sound plausible, the only instance of this I've seen
is when adding copyright notices when you save the link to am image, or when
they add this warning about not stealing the work and adding proper citation.

The problem I see with this scenario is that not everyone is copy-pasting from
the browser into a terminal. I for example copy things to my VM's text editor
first, then run the command. Other could be copy-pasting to an email for
example. In those instances it would be obvious that the site is doing
something not so kosher and it would be notices pretty soon I guess, depending
on the site's popularit

~~~
tedmiston
The worst are the sites that add additional text when you copy eg something
like a quote.

Try to copy one from this site for example.

[http://www.brainyquote.com/quotes/authors/a/albert_einstein....](http://www.brainyquote.com/quotes/authors/a/albert_einstein.html)

~~~
userbinator
The big warning message I get at the top of that page is funny (emphasis and
commentary mine):

"Please enable Javascript This site requires Javascript be enabled to provide
you _the best experience_ [for us]. Some features [like shoving crap into your
clipboard] may not be available with Javascript disabled!"

It's not uncommon to find sites whose definition of "good UX" is exactly the
opposite of what I want.

------
rbut
This is why I always copy a command into TextEdit (or Notepad on Windows)
first, and then re-copy the clean text before pasting into my terminal.

While we are on the topic of copying and pasting. If the command downloads a
script, make sure you download the script out-of-step via curl first, review
its contents, and only then execute it. This avoids sites maliciously changing
the script based on the User Agent.

~~~
nadaviv
Note that clever timing could get the "evil text" in your clipboard between
checking in a text editor and pasting into the terminal. Hard to time
correctly, but not impossible.

~~~
rbut
To solve this, browsers should probably disallow modifying the clipboard after
a certain time period from the event. Eg. 500ms.

~~~
bbcbasic
FTFY:

To solve this, browsers should probably disallow modifying the clipboard .

~~~
Cthulhu_
That would probably break a lot of WYSIWYG-like editors.

~~~
bbcbasic
Touche. Then maybe it should be like location you opt-in per domain, as
another poster said in this discussion.

------
makecheck
Since operating systems can “quarantine” downloaded files, it seems perfectly
reasonable to also quarantine data that can be arbitrarily modified by remote
APIs. This is doubly true when there are all kinds of ways for web sites to
trick the user into visiting domains they don’t really know that they
“requested”.

On the Mac, applications downloaded from the Internet are quarantined; they
stay that way until you accept a warning message displayed at first launch
(even if you wait days to launch it for the first time). The OS helpfully
remembers where the file came from, e.g. “This was downloaded from
www.notmalware.com on July 6, 2000.”.

If a web browser insists on allowing web-controlled Copy behavior, the
resulting pasteboard should be given a big, black TAINTED mark that cannot be
cleared without a very explicit action. If I go to another application and try
to Paste, the other application should not be able to access the data without
clearing the quarantine (e.g. OS provides standard dialog that shows the
entire text and web site of origin, free of any white text-coloring or Unicode
invisibility tricks).

------
beardog
I'd like to point out to everyone that isn't aware of it, this can be (sort
of) done even without Javascript. Extra text can be hidden with CSS that is
easily copied when highlighting other benign text, so be careful even when
using Noscript.

Edit: Sorry, I didn't read close enough.

~~~
Viper007Bond
As mentioned in the first sentence of the second paragraph. ;)

~~~
beardog
Well, i goofed.

------
vonklaus
I can't reproduce this in chrome or safari. I have ublock enabled, but a cmd +
c gives me the bell in iterm(fail) and if I click edit copy from the drop
down, the shell echos

    
    
       "not evil"
    

without a line break as expected. Chrome and Safari.

edit: doesn't seem to have unexpected behavior in terminal either. Am I
missing something, or does uBlock default deny the scripts that can do this?

edit 2: console log: Copying text command was unsuccessful. uBlock disabled.

~~~
stepanhruda
Same here

------
GlitchMr
How is that better than purely HTML/CSS attack (or even telling a person to
use `curl blahblah | sh` command)?

This particular attack doesn't work when not using keyboard to copy (think
select to copy (traditional X behavior) or using a context menu), it causes
text to unselect after busy loop ends, causes fans in my laptop to start
working (because of busy new Date loop), causes cursor to cease changing for a
certain period of time, requires me to enable JavaScript, requires support for
"copy" command (which isn't universal), and requires the user to press CTRL+C
either way (otherwise the webpage won't be able to copy into a clipboard).

I guess you could paste an output after a certain time, but because of
hijacking on Ctrl key, nothing can be copied before busy loop ends, and as a
result, it doesn't prevent "pasting the command into Notepad" just to ensure
it's safe - as either what previously was in pastebin or malicious command
will be pasted.

[https://xfix.github.io/mystery-
zone/command.html](https://xfix.github.io/mystery-zone/command.html)
(disclaimer: I made this page) doesn't have any of those problems (other than
requiring the user to copy text in any way (CTRL+C, text selection, context
menu, whatever odd interface do you have)), and it still can break vim (and
for that matter, bash, zsh (including zsh with paste protection), fish, and
emacs).

------
makecheck
I remember adding an entire feature to my terminal to check for multi-line
Paste because it was frustrating to execute something _by accident_. It never
occurred to me that we would reach the point where the Copy itself could not
even be trusted.

It is time to rein in all the things that web browsers are complicit in doing
at the request of random web sites. There needs to be a _lot_ more thought put
into these “APIs” that sites have access to, and a _lot_ more scrutiny of the
data.

------
_asummers
Are there any plugins that detect your clipboard is being manipulated and
block the offending script from touching it, or perhaps prompt you? I'm
thinking something like uMatrix for that class of JS. I can imagine that being
a useful thing, if one doesn't already exist, both from the security
standpoint and from the "don't add miscellaneous share crap" standpoint.

------
zbuttram
The author noted that iTerm on MacOS notifies when a paste that's about to
happen contains a newline. Cmder on Windows does this as well, it's a nice
feature even outside of the security concerns.

~~~
nathancahill
Didn't get a confirmation on iTerm 2.1.4, Firefox 46.0.1, OSX 10.11 (latest
stable everything). Not sure if I missed something.

~~~
firloop
It's only in the iTerm beta IIRC. I see it on (beta) build 2.9.20160510.

------
pje
Remind me again why we allow browsers to override OS copy commands?

~~~
userbinator
Because the whole Web movement is trying to make browsers into the OS.

~~~
Cthulhu_
Already done; see Chrome OS, WebOS, Firefox OS, probably others.

~~~
lohengramm
I got you, but those are actual operating systems. Regular browsers should
keep being regular browsers, limits respected...

This clipboard thing remembers me of the webrtc functionality that enable
browsers to scan my network without asking me.

Related:
[https://news.ycombinator.com/item?id=11407536](https://news.ycombinator.com/item?id=11407536)

------
rplnt
This was disabled by default in (classic) Opera (since it was a weird
microsoft addition). Was surprised how many sites do this when I switched
browsers.

At the same time, it's better than those times when you had flash buttons to
copy link. So I think it should be allowed to change clipboard on user's
action (can it be detected?). But there certainly shouldn't be an event to
change clipboard that is fired after the user copies something (selection
copy, keyboard shortcut, browser ui, ..).

~~~
Aoyagi
Yeah, I was wondering "This example is clearly broken, it won't copy at all".
Glad I'm still using the best browser around!

------
pdkl95
> Note the newline character gets appended to the end of the line.

As others have already pointed out, an API for interacting with the clipboard
is a terrible idea that should be removed from the browser.

However, this particular problem of pasting multi-line strings into the
terminal is already a solved problem if you use rxvt-unicode. The standard
package includes the perl plugin "confirm-paste"[1][2]. Enable it in
~/.Xresources

    
    
        URxvt.perl-ext-common: default,confirm-paste
    

confirm-paste passes single line pastes normally, but asks for a y/n
confirmation before sending a multi-line paste to the shell.

[1] urxvt-confirm-paste(1)

[2] [http://cvs.schmorp.de/rxvt-unicode/src/perl/confirm-
paste?vi...](http://cvs.schmorp.de/rxvt-unicode/src/perl/confirm-
paste?view=markup)

------
gcb0
freaking Adobe flash.

in it's feature creep it added clipboard access.

then web site developers thought it's a crucial feature. even github used a
flash element to allow easy copy of repo url. as if anyone using git can't
copy. then some moron added that to the browser, and every other moron
followed.

morons. copying flash...

------
dschep
Doesn't seem to affect select/middleclick X11 copy&paste.

------
y7
Even if browsers didn't allow changing the clipboard, there's still this older
problem: [http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

The solution is definitely to avoid pasting commands with newlines in them
into your terminal. With Vim, you can use the + register to paste (e.g. "+p).
Using iTerm on OS X, I've added a custom keymap for Cmd+V, bound to Run
coprocess:

    
    
        pbpaste | tr -d "\n"
    

which filters out the newlines.

------
kevincox
zsh actually detects pastes into the terminal and doesn't submit the commands
on newlines. This way you see the full command and have to hit enter yourself
to run it.

It isn't perfect because people could try to obscure the command but in
general it makes me a lot happier to paste commands into my terminal.

~~~
bdcravens
I must be doing something wrong, because I copy and paste multiple lines all
the time into zsh (ohmyzsh on iTerm) and it will execute all but the last line
(which generally doesn't have a new line on it)

~~~
kevincox
Maybe your terminal doesn't indicate pasted content properly. I'm using gnome-
terminal and it works flawlessly.

------
commentereleven
"Note that if I can get you to "su and say" something just by asking, you have
a very serious security problem on your system and you should look into it."

\- Paul Vixie, vixie-cron INSTALL file
([https://github.com/rhuitl/uClinux/blob/master/user/vixie-
cro...](https://github.com/rhuitl/uClinux/blob/master/user/vixie-
cron/INSTALL))

------
spullara
Doesn't seem to work in Safari 9.0.3. This was in the console "Copying text
command was unsuccessful".

------
romaniv
The full reach of this issue might not be limited to just text. It might be
possible to mess with scripts in programs like Word by abusing rich text,
macros and styles:

[https://www.youtube.com/watch?v=LoORMRbptTg](https://www.youtube.com/watch?v=LoORMRbptTg)

------
hrjet
> It should also be noted, for some time similar attacks have been possible
> via html/css [1]

As it happens, this particular attack doesn't work in gngr [0]. The example
uses an absolute positioned div to put extra text out of viewport, which is
not picked up by gngr when selecting text.

gngr also doesn't enable Javascript by default, so attacks such as that
described in OP are not possible from random site visits. (I recommend uBlock
/ uMatrix for other browsers).

However, the attack surface is really quite large here. CSS directives such as
`opacity: 0.001` could be easily used to mask extra text.

    
    
      [0]: https://gngr.info/
           and https://github.com/UprootLabs/gngr
      [1]: https://thejh.net/misc/website-terminal-copy-paste

------
SFJulie
I was like why does not it works!

Then I remembered I had no script enabled, and then I remembered I don't trust
JS and browsers by default, they are like OS in my OS that are way complex to
be audited and they have access to way too much sensitive things (files,
display, keyboard, network).

~~~
olalonde
"When you’re a NoScript user and haven’t told anyone in 10 minutes"
[https://pbs.twimg.com/media/CWQbRunUAAAK8f6.png](https://pbs.twimg.com/media/CWQbRunUAAAK8f6.png)

~~~
SFJulie
Education is repetition :)

Weirdly enough, I don't think noScript is the solution (it is heavy,
unpractical and I dare not look the code).

I am pretty awry of the evolution of the DOM + JS interaction and the new
features brought in browsers that looks like both a cancer and instabilities
to come.

------
gsiris
Dragging the selected text to somewhere else before copying reveals the actual
text to be copied (at least on Firefox):
[http://i.imgur.com/A7VIWtX.png](http://i.imgur.com/A7VIWtX.png)

------
upofadown
The proof of concept didn't work on Linux (Firefox) using regular Unix style
copy and paste (left button to copy, middle button to paste).

So am I immune (Unix style is all I ever use) or is there a way for my browser
to mess with that buffer as well?

------
aruggirello
_Edit:_ I visited the "about:config" page, searched for
"dom.event.clipboardevents.enabled", then I have set it to false, but that
wasn't nearly enough. _The linked PoC still works_ :-(

------
ohstopitu
This is not the first time this has come up. In fact I wrote an article a
while back on how to use this for something legitimate [1] (including mobile
support).

It is far easier to execute on the desktop (by watching for the control key
press, then creating a hidden div that contains the text to be copied +
malicious code if necessary).

[1] [https://sonalkeshav.me/2015/08/30/html5-clipboard-
api/](https://sonalkeshav.me/2015/08/30/html5-clipboard-api/)

------
gravypod
I wasn't able to get this to work. Do I need to use CNTRL + C?

~~~
ipsin
I had a similar experience in Chrome, pasting into gedit. Ctrl-C/Ctrl-V works,
but menu copy/paste doesn't.

------
mavus
Quite nicely iTerm2 will catch when you attempt to paste new line characters
and warn you about it. Mostly it's useful when I've accidentally copied an
extra line, but protecting against malicious abuse is a useful plus.

[http://imgur.com/hPMtbU2](http://imgur.com/hPMtbU2)

------
andrepd
The iTerm feature at the end is very thoughtful. I wish other terminals
provided that feature.

------
tatotato
With the gimmick of slipping the newline in aside, you can really go nuts on
the ampersand.

------
tmcarr
I may be the one guy using it, but I can't repro this on Safari + iTerm
nightlies...

~~~
manish_gill
Same here. Safari + iTerm nightly. Cmd+C/Cmd+V on other text works but for the
demo the author provides, I get no content. The previous clipboard content
isn't overwritten on copying "no evil".

------
isaac739
Default Terminal for OSX pasted the evil copy as expected. iTerm gave me a
warning.

------
intrasight
On the web, I always right-click, inspect, edit html, and copy what I'm after

------
awalGarg
Shameless self plug

Just wrote
[https://github.com/awalGarg/realcopy](https://github.com/awalGarg/realcopy)
to "counter" this. Plan to add for FF as well.

------
jrmiii
If you use a clipboard manager (I use the one built into LaunchBar) you can
preview the contents of the clipboard without having to paste into a text
editor. It takes seconds and is a good habit to develop.

------
Razengan
[1] is not working on OS X 10.11.5 / barebones Safari 9.1.1 (11601.6.17)

[1] [https://security.love/Pastejacking/](https://security.love/Pastejacking/)

------
DoubleMalt
Well once more I'm happy to browse with noscript by default ;)

------
wtbob
Aaand this is yet another reason to disable JavaScript. Why should a site I'm
visiting be able to *$&% with my clipboard without my consent?

------
dcgoss
This is somewhat terrifying. My fear is that a prankster will make the pasted
command be `rm -rf / \n'

------
Grue3
I can't believe vim allows executing commands when pasting text. Who on earth
thought it was a good idea?

~~~
Nyubis
It's not something that vim explicitly allows, it's a side-effect of running
the editor in a terminal. When you paste into a terminal, it's as if the keys
are actually being pressed, rather than just text inserted.

The proper way of pasting into vim, which doesn't have this problem, is "+p
(as mentioned in the article).

~~~
oftenwrong
or

    
    
        :set paste

------
tonyle
This could be really horrible, especially if you use a password manager and
copy and paste your password......

------
RVuRnvbM2e
rxvt also protects you from this by warning about multi-line pastes with the
"confirm-paste" plugin

------
fosk
This is one of the innumerable reasons why copying and pasting commands on the
fly is wrong.

This also includes the awful popular installation commands in the form of
"curl -s ... | sh" \- which means you are basically giving your computer in
the hands of a third party.

~~~
chrismonsanto
> which means you are basically giving your computer in the hands of a third
> party

As opposed to any other installation method? Do you regularly vet the entire
source code of software you install?

~~~
azernik
I think an actionable takeaway is: even if the curl/wget/whatever points to a
trusted [https://](https://) domain, the page you're copying from __also
__needs to be on a trusted[https://](https://) domain.

~~~
rbut
Even if its a trusted [https://](https://) domain, it can still be
compromised. ([https://blog.jquery.com/2014/09/24/update-on-jquery-com-
comp...](https://blog.jquery.com/2014/09/24/update-on-jquery-com-
compromises/))

Always review the script first.

~~~
chrismonsanto
You trust the upstream to provide you with a safe program, but not a safe
installer? That makes zero sense, and your link doesn't provide any evidence
to the contrary

~~~
rbut
Yes, you are correct if the application and script are on the same domain. The
link is simply an example of a major 'trusted' domain being compromised.

------
inevitable2
Thought I would find Mario Heiderich's presentation on the topic. Here you go
: General approch to the problem of security of copy/paste buffers :
[https://insomnihackdotme.files.wordpress.com/2015/03/copypes...](https://insomnihackdotme.files.wordpress.com/2015/03/copypest.pdf)

------
wingless
>How do you protect yourself?

I am already using a terminal emulator that warns me when I paste multiple
lines (ConEmu).

------
fu9ar

        fu9ar@traveler ~ % ^[[200~echo "evil"
    

It works, but it also doesn't work.

Usually I use the middle-click-to-paste feature, which just doesn't work at
all.

