Hacker News new | past | comments | ask | show | jobs | submit login
Pastejacking (github.com)
722 points by borski on May 24, 2016 | hide | past | web | favorite | 234 comments

There are many news sites that make it extremely hard to share their content on sites like HN or reddit because of these tricks. I wonder if they are actually losing traffic from it, or if their tactics work? I'm referring when you copy the text in the title of an article to try to paste it into the Title box on HN or reddit. But what you 'paste' is actually a huge paragraph about how great the news website is and how you should download their apps and read more on their website. At that point, I can't be bothered to clean it up and I refuse to type out some text that I should have been able to copy.

Does it really work? Do sites actually get more traffic by hijacking your keyboard's basic functions to insert advertisements? I guess it probably does. :(

I had to implement this kinda code when I worked for Demand Media and it certainly worked. Whats funny is you don't need any fancy new apis to make it work. We were doing some pretty basic tactics actually. Only real way to prevent it is disable javascript.

What do you mean by it worked? Did you have metrics supporting increased views that were tied to the paste highjacking?

Demand Media makes money by monitoring ad networks and then paying people to churn out worthless content that pollutes search results. They watch metrics very carefully.

Sounds like a pretty unethical way to make money.

I'm sure that those involved have very interesting rationalizations, but I don't think that it should be viewed from an ethics perspective. Expecting people to behave against their own self interest in the short term, for the good of strangers in the long term, will always end in disappointment. This is actually a pretty simple case of poorly stated objectives being cleverly met by people who are completely self interested. LOC metrics, rat tail bounties, click-through rates. I know this sounds kind of "well what did you expect wearing something like that", but if advertisers establish metrics that are more closely aligned with their objectives then we'd all be better off.

But yeah, Demand Media is terrible and their employees are not on my Christmas card list.

> I know this sounds kind of "well what did you expect wearing something like that"

Which is a perfectly rational question/argument.

> Expecting people to behave against their own self interest in the short term, for the good of strangers in the long term, will always end in disappointment.

I agree. This is a systemic problem, and appeals to ethics won't work (and the advertisers won't change their metrics because of them) - one needs to attack the economic incentives underlying their current strategies.

> (and the advertisers won't change their metrics because of them)

uh. That isn't what I was doing - one party's act in self interest can benefit third parties (even if accidentally)... like electing to not set yourself on fire in a crowded Museum of Yarn and Flammables.

> ...attack the economic incentives underlying their current strategies.

That has been going on since the first ad click payment. I'm guessing that the ideal solution is one that would require a scale of economy that is outside the capabilities of the majority of the market participants, and that is why we still have catch the monkey ads.

>Which is a perfectly rational question/argument.

How is that rational at all? That question is referencing the common practice of blaming rape victims rather than the rapists, by questioning what the victim was wearing.

It is a perfectly rational question. You're layering a bunch of unnecessary stuff about blame on top of it. Rape is always the fault of the rapist. Full stop. Now, given that there probably always will be rapists in the world, can we be allowed to ask questions that help prevent rape?

No, because rapists are given cover and can more easily rationalize their behavior when society implies that rape is a natural or expected consequence of the failure to take precautions against it.

Rape is a natural or expected consequence of the failure to take precautions against it.

It doesn't matter what society implies.

Note that I can say that while unequivocally condemning rape and providing zero cover to rapists. I am describing what is, not what I think ought to be.

>> Rape is a natural or expected consequence of the failure to take precautions against it.

I don't understand - how is that not victim blaming, and going against your last line? And how exactly do you take precautions against rape, especially when you factor in the fact that the perpetrators are far more likely to be people who wield some kind of authority over the victim, including family members, bosses at work, police and security forces, etc. which is true at least where I come from (West Africa), and leads to chronic under reporting / decisions by families to either blame the victim or sweep the whole thing under the rug. Or am I somehow misunderstanding your meaning?

>if advertisers establish metrics that are more closely aligned with their objectives then we'd all be better off

Disagree. Thats a personal value judgment and an ethical perspective viewing efficient corporations as utilitarian bodies fulfilling the greater good.

Kind of odd to even bring ethics up when discussing how websites make money. It doesn't matter at all. Ethics is normally used to discuss other people getting harmed by actions, but when all that harm can be removed simply by closing the browser and doing something else it's barely worth talking about. Is it ethical for a shop to advertise its products in the shop windows when the people running the shop know that there are higher quality products available in a competitors store? Who gives a shit?

> Who gives a shit?

I do. That's probably why I won't be running an effective business any time soon. Being nice and not fucking people over doesn't get you far in highly competitive markets.

I strongly second what 'nitrogen wrote[0]. This is very much about ethics.

> Is it ethical for a shop to advertise its products in the shop windows when the people running the shop know that there are higher quality products available in a competitors store?

In my opinion, no. Basically, if you know your product is shit, you are morally obliged to make it better or find something else to sell; lying to people to make them buy your stuff instead of something objectively better is fucking them over for your own gain.

Think about it the next time you find yourself on the receiving end of such businessmen.

[0] - https://news.ycombinator.com/item?id=11759628

That argument would lead you to the conclusion that if your peers are objectively better than you, then it's immoral for you to seek employment; you must improve yourself or choose a different industry. So do you think you are among the world's best in your area of expertise, or are you voluntarily unemployed? ;)

I do suffer from impostor syndrome sometimes :).

That said, most of my peers who are objectively better than me are already employed, and it's up to employers to select from the available pool of employees. My responsibility is to truthfully present my skills during interview.

If it is on the employer to make a value judgement on your skills, then isn't it also up to the window shopper to make a value judgement on the merchandise?

Well, yes - but in my original comment I didn't say that if you get half a feature behind your competitor, you should trash your merchandise and go do something else. I complained about people willingly making and selling shit, covering the deficiencies up with marketing.

In hiring analogy, it would be as if I couldn't code at all, but could talk my way through the interviews - and so instead of actually learning to code, I'd earn money by getting employed at companies and trying to extract as many paychecks and benefits as I can and then quitting before they figure out I'm a fraud.

Me investing my time to get a job through pure charisma, without bringing any merit to the table, is like selling products on pure marketing. Pretty dishonest, and also poisons the ecosystem for everyone.

Fortunately, hypocrisy is not a fallacy.

> hypocrisy is not a fallacy

... but a warning sign that an argument is probably too broad, too absolute, too confidently stated, and has ten thousand exceptions that you didn't consider.

It is when other people do it.

I completely agree and hope that more and more other engineers just say NO to aggressive advertising bullshit. It is not like one has no choice.

That's partially why I left Demand.

> I do. That's probably why I won't be running an effective business any time soon. Being nice and not fucking people over doesn't get you far in highly competitive markets.

> lying to people to make them buy your stuff instead of something objectively better is fucking them over for your own gain

Thanks, this needed to be said. I'm in the same position. I will probably never be able to run a business either because I hold these same views.

Kind of odd to even bring ethics up when discussing how websites make money. It doesn't matter at all.

This is why we can't have nice things. Because people adopt a FYGM attitude. Because they piss in the pool we all have to swim in.

...all that harm can be removed simply by...

...quitting smoking? Throwing away the prescription pain meds? Giving up junk food?

How about not robbing people of their valuable time and money? How about moving past negative-sum business models where the distributed costs far outweigh the concentrated gains?

> How about moving past ... where the distributed costs far outweigh the concentrated gains?

That pretty much describes living in the US and even Europe to a degree compared to most of the world.

How deep should morality go? Almost all of us in the US consume an order of magnitude more than most of the world for instance.

If I'm actively searching for some information I need, I cannot "simply close the browser and do something else". Search results are polluted with junk and time it takes to find useful information has increased a lot. Finding in-depth information is getting harder and harder because of flood of low quality pages that only hit the keywords and skim the topic on the surface.

Yes, it's called "advertisement". Sad welcome to 2016.

Very sad welcome because somehow working in advertisement industry is considered a respectable occupation in 2016. The cognitive dissonance of the society is sometimes mind-boggling.

"You know, you smell, and look ugly, and certainly are wearing yesteryears fashions. Buy our shit and you can be almost a human again!"

(hey it works in the advertising industry. I attack your humanity on multiple levels and then show you garbage that... kind of, almost, but not really restores your humanity. Of course, you really need next months update, or you're just subhuman again! )

See the glorification of the advertising industry in a popular TV show "Mad Men"

Which is a show about how cool it is to be an asshole and ruin your own and other people's lives by making extremely selfish decisions. This is also why I won't watch House of Cards.

So, do you only watch shows about Gandhi, MLK and J. Christ?

Not sure about Mad Men, but HoC doesn't "glorify" its subject. And tons of great art is about "assholes".

The thing is, and this is a very christian message, assholes are people too.

HoC makes it seem down right cool to screw everyone you know over to attemt to dig yourself out of the massive hole you've dug yourself in to. The sad thing is that much of the American public watching this garbage believes the underlying premise, "do unto others before they do unto you."

Not sure why you're jumping on this train at this junction...

Because parent made an announcement about the junction.

Sure, if you've got a concept of morality based on primarily being motivated to help others rather than pursuing self interest. If that's the case though then the vast majority of people would fall under the category and make it a pretty meaningless description.

> if you've got a concept of morality based on primarily being motivated to help others

Ethically, self-interest is fine. Failing to help others isn't a huge deal either. It's the part where you're actively and deliberately harming others (by polluting search results - impairing both search engines, as a company, and their users) that we're objecting to.

I think the idea of "polluting search results" requires too much of a subjective concept of what good content is to say whether producing one kind or not is unethical. They aren't producing what they are because people aren't looking at it and I'm very sceptical of any notion that people don't generally do what they want. It has a very centrally planned feel to say "people want think pieces" or "people want to read about X" when reality shows that people want easily consumed clickbait and listicles.

What you wrote is a very twisted rationalization of screwing people on purpose. Sure, if you create several things and watch which ones people like more, you can say that those people do what they want. But when you start purposefully designing tricks to e.g. advertise you have information, and then sell them ads and bullshit, you're doing active harm to people. It's not subjective at all.

I assure you I don't need to rationalise. I'm under no delusion that I'm a terrific person and do the assorted immoral things I do with full understanding and acceptance.

Demand Media has strong brands. They aren't anonymous/fly by night operators. If they were promising content and not delivering with any sort of regularity they'd lose viewers. They're not doing that though. The content when you click on an ehow or livestrong article is exactly what you'd expect from an ehow or livestrong article. That you find this content undesirable is very much subjective. Plenty of people seem to enjoy it.

People generally do what they want to do, but they base their decisions on incomplete information on what they are going to get. Lots of crap wouldn't get its clicks if it didn't appear to be something it isn't.

Their crap is what it appears to be though. If they weren't delivering on their clickbaity titles then people would soon learn. It's not like they're anonymous publishers, sites like ehow and livestrong are strong brands. They're not counting on unaware users.

The techniques used to deliver it are a measure of its value.

Humans are social animals and the "self" at least partially includes your community. There's no need to make such a fine distinction when discussing human morality.

I don't personally have any supporting data but the business people were not ones to do things unless it worked. Just look how high in the rankings ehow was able to get before panda hit.

Toggling dom.event.clipboardevents.enabled in Firefox has fixed this on every implementation I've seen apart from the PoC here.

Or inspect and copy from there?

Best solution. Also works for websites that block right click, and other similar tricks, to "protect" the content.

Or to block the loading of the offending javascript!

What's stopping websites from minifying all their javascript into one file and preventing the site from functioning without JS?

Then refuse to use them. That's what I do.

Then you start writing GreaseMonkey scripts and patching the APIs they use.

Would you even need javascript to do it? You could just include that text at the start of each paragraph and hide it with CSS.

You should have refused

Believe me, there was lots of pushing back. It was right before Google dropped panda and basically killed ehow.

You shouldn't refuse. You should document the privacy impact and make sure everybody is aware of the privacy implications.

Moralizing about dawnerd’s employment doesn’t really add to the discussion, IMHO.

A new discussion of the ethics of software engineering might be valuable. Other professions have codes of ethics; maybe it's time for software, too.

cf. ACM Code of Ethics and Professional Conduct: https://www.acm.org/about-acm/acm-code-of-ethics-and-profess...

I like most of the ACM code. I think it could use an update with more direct prohibitions on modern forms of user harm, such as trading in private information and manipulating search results to promote low quality sites.

At least no underhanded techniques have been used to deliver it to you.

> Only real way to prevent it is disable javascript.

Oh, darn … /s

The proof of concept didn't work for me. I highlighted the text, right-clicked and clicked "copy". I thought it was just broken or not hooking the on-copy properly.

Then I realized that the reason I was doing that instead of ctrl-c is all the times that web sites break ctrl-c. I literally have gotten used to highlighting, right-clicking, and clicking copy, for a "clean" copy :) I wasn't even aware I was doing this.

Of course, web sites can hook right-clicks. It would be funny if they threw up a fake context menu matching the default context menu of the browser and operating you're using, but with evil versions of commands :)

I don't disable or modify javascript, so with that addition it would have tricked me.

Right-click hooking could be defeated by inserting a sequence number in the right-click menu and displaying the same sequence number somewhere in the browser window.

I will say that the people who generate event hooks in browsers need to pull their heads out of their asses before this kind of thing becomes necessary.

Highlight, then Edit -> Copy.

But then, I've seen sites that break highlighting. Either intentionally, or accidentally, thinking people will share their every highlight on Twitter (I am looking at you, Medium).

In Firefox, holding CTRL or SHIFT (don't remember which one) bypasses JS hooks and always displays the menu. I think it's even better solution :)

I don't have data on this, but it's a significant turnoff for me. Unless I really have to share the quote, I never bother cleaning it. It doesn't bug me to the extent that I won't share it altogether (I'll just type it out or copy from Chrome devtools); yet I'll be more hesitant to share from that website from thereon.

Many pages in the New York Times are impossible to select text in. But I just select the text from the page source. After reading this article, I'm thinking that might be a good idea in general.

I do too. But sometimes there's no text in source, just scripts :(

In Firefox use CTRL-SHIFT-I or use Firebug to inspect the code on the page after it's generated. I guess many times it's a transparent div covering the text, not javascript tricks like this, but I might be wrong. You can remove the div using Firebug. Selecting the text in Firebug will work, but may be a lot more work. How about printing to PDF, then selecting the text there?

remembers the times when computers were supposed to make things easier for us

"supposed" to, but never really did.

Easier to take (possibly steal) on your terms?

The problem is that browsers are trying to protect the wrong people. An average joe will not even have a terminal to paste commands in.

Most people who use terminals know how to protect themselves, and they can recognize questionable content.

This whole problem shouldn't even exist.

Why do browsers not require explicit user permission before allowing a site to perform clipboard manipulations? In a similar tashion to how the HTML5 geo-location API is opt-in?

Firefox and IE let this feature be configurable:




But the same quick search shows that it does not appear possible to control this in Chrome. If anyone knows how, please correct me.

I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.

This is because the Firefox preference is useless - it only disables the clipboard events, but not the clipboard access from any other event. So the demo simply hooks the keydown event instead. Have a look at the source, it's really quite straightforward.

What browsers really should have are a standard "Ask & Whitelist" dialog for all of these security critical features[1]. It seems Firefox even used to have this feature, but it and the corresponding addon have long since crumbled to dust[2].

Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.

[1] There's many more, including utterly ridiculous stuff such as telling websites the battery charge status of your device (and if your charger is plugged in): https://gist.github.com/haasn/69e19fc2fe0e25f3cff5

[2] http://kb.mozillazine.org/Granting_JavaScript_access_to_the_...

I found one of the bugs and... wow:


They had a pretty useful per-site configuration mechanism that wasn't UI-configurable so someone started to make a UI for it, but then some higher-up decided they should remove the whole thing completely! The screenshots they have there look so awesome:


It's ironic that, meanwhile, IE gets this right.

> Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.

FWIW, the features that this uses have their origins in proprietary IE5 features (maybe 5.5?). Whether this attack works in IE5 I leave as an exercise to someone else.

Note that the tradeoffs are more complex than what one might naïvely assume: people weren't using the feature as it existed in Firefox before because it required explicit user interaction, but doing the same thing through Flash didn't… so everyone just used Flash. In effect, this is a security bug the platform has long had (because, like it or not, de-facto the web platform for the longest time included Flash). Now, should we blindly copy everything Flash can do? Of course not. But if something is making people hold on to Flash, we really should consider the tradeoffs. Are we just gaining theoretical superiority but practical irrelevance (on desktop at least; mobile where Flash is gone is a different story)?

> I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.

How is this method different?

Oncopy is a named javascript event type that triggers when you copy the text of an element.

This method is more sophisticated; it monitors the whole page for copy commands, and has an event listener watching to see when this 'copy' command is executed.

I tried the demo in Safari 9.1.1 (11601.6.17) and got "not evil" in the Terminal.

Did you use the keyboard or the mouse? Because when I copy using keys, my clipboard is empty. Only right-clicking gives me "not evil". The eventListener is on keydown FYI

It's honestly probably because it's been done in Flash for so long that any difficulties would be worked around with more Flash.

On a somewhat related note: why do browsers allow websites to prevent you from leaving via those annoying dialog boxes that ask you to click "cancel" or "leave"?

To be able to remind you about your unsaved changes before you leave the page. I personally find the benefits of websites doing that to be greater than the annoyment from websites abusing this functionality. (just an extra click when its being abused, but potentially saving hours of my time when used properly)

Sure, but I ant to at least be able to blacklist sites. Yes, Jira, I'm looking at you.

This seems like a good thing for an extension to do.

I have seen sites that have pages where you're placed in a queue (for whatever reason) and if you leave the page you will be dropped from the queue, so it's nice to have something preventing you from accidentally leaving, but that's the only legitimate use I can think of.

I used to work for a company whose primary product was a web server that companies could buy and run for use purely internally. Our pages involved a lot of data entry that could be lost, so that sort of pop-up can be handy in that situation as well.

Of course a better solution wouldve been a program which doesnt so easily let you lose data in the first place, but this software was long past that.

Still, that functionality should be opt-in.

It's really not that bad. The big problem was historically the buttons were labeled "Cancel" or "Ok", and some browsers allowed pages to customize the button labels, making which you clicked very ambiguous. Browsers today just giving "Stay on this page" and "Leave this page" buttons aren't really much of a bother if you remember how bad it used to be.

Or potentially losing any page state when navigating away or closing a browser, such as form data.

Right. You don't want to lose the blog post or other document you've been working on for an hour because you hit the close button on the wrong tab.

Websites can find better solutions if we kill this annoying feature. We have local storage in all browsers. Rather than prompting why not save it and recover when the user comes back. The users will always prefer this. It saves data even when the website crashes or the connectivity is lost and there is some important data on the page. Why have a feature that is abused more often than used especially there is no case where it is the only/best solution.

It's not always that clear. If I leave a page, how is one to know whether that was intentional or not?

If it's intentional, you don't want to pull the data back up (people want a "fresh copy")

If it's not intentional, you do want to pull the data back up.

Though of course you can make something like a "New Copy" button, but then that presents its own challenges.

That no longer makes sense unless it isn't feasible to preserve the change history along with current state...

I agree. This thought process comes from a different era and has just continued to perpetuate itself. If you are working on insanely* large files then that box makes sense, otherwise we have the technology to save the user the headache.

*insanely large is anything that takes up 75% of whatever computer bottlenecks first at the time of reading this comment(Memory, processor)

Funnily enough that API is already highly restricted: You can only show that single dialog box, you cannot modify the actions of the cancel and leave buttons and you cannot perform any asynchronous operations within the callback. (Technically you can, but the browser won't wait for them to finish)

All this was introduced to prevent abuse. Apparently it still wasn't enough though...

It's important to point out that the "yes, actually leave" option is not overridable. As a developer, you only get to set what message is displayed. The browser handles the rest, and it's basically "stop redirecting or continue". The developer only has control in the "stop redirecting" case.

Totally agree. On Firefox these are often modal to the whole browser so you can't even force close the tab.

What absolutely annoys me about this feature is that there are shitty ads which throw this dialog in a loop, making it virtually impossible to close them.

In which browser? Modern implementations shouldn't even make that possible.

Chromium on Linux. Maybe they play some tricks with refreshing or redirecting to make the browser show this dialog again on the next attempt to close the tab, if the browser wouldn't normally do that. Unfortunately, I didn't investigate and don't have links.

I see it on Firefox. Now that you mention it, it seems to happen less often lately. Maybe I am looking less at shady sites or they have changed something.

It's intended use is for data entry, it's meant to be a prompt for "Hey there's unsaved changes on your 'Super Important Document' are you sure you want to to leave?"

This is fair. For me, this is a case where it is likely as narrowly annoying as helpful, and thus a no-win situation. Some sites I use are respnsible allowing you to copy an ip address on click, or a cryptocurrency wallet address on click, removing any extra whitespace and confirming a full address copy. This is quite important as perfectly copied addresses (which are basically massive strings of random text) ensure your money arrives properly, or is dispatched to the correct location.

However, sometimes I want to share a qoute I found online. I don't want a promo for the website inserted into my clipboard. For them, it must be a fine line that realization: user-hostility can be short term profitable but long term fatal.

For the record you don't actually need to depend on new APIs like "document.execCommand('copy')", simply shifting focus to an off-screen textbox area when ctrl is down will do the trick in 95% of the cases, with full cross browser compatibility.

Most people copy text with right click, which would be unaffected by that. Also mobile browsers.

I don't know that most people do that, but right click and mobile seem to bypass OP's method as well.

.. Not sure this would work in OSX.

Just use event.metaKey as well as CTRL.

So I copy a command off a dodgy website, hit paste in my terminal, and a command drops which runs a shell script that downloads a rootkit, logs me out and clears the screen leaving me thinking that some weird glitch has happened but all it OK - is that the sort of scenario we are talking?

Although what you propose sound plausible, the only instance of this I've seen is when adding copyright notices when you save the link to am image, or when they add this warning about not stealing the work and adding proper citation.

The problem I see with this scenario is that not everyone is copy-pasting from the browser into a terminal. I for example copy things to my VM's text editor first, then run the command. Other could be copy-pasting to an email for example. In those instances it would be obvious that the site is doing something not so kosher and it would be notices pretty soon I guess, depending on the site's popularit

The worst are the sites that add additional text when you copy eg something like a quote.

Try to copy one from this site for example.


The big warning message I get at the top of that page is funny (emphasis and commentary mine):

"Please enable Javascript This site requires Javascript be enabled to provide you the best experience [for us]. Some features [like shoving crap into your clipboard] may not be available with Javascript disabled!"

It's not uncommon to find sites whose definition of "good UX" is exactly the opposite of what I want.

Middle click (if you have it) gets around this!

Interesting; drag-and-drop bypasses that (allowing the selected text, and only the selected text, to be grabbed) but Copy using either keyboard or mouse is hijacked.

In an ideal world I'd get a warning that the copied text did not match the selected text.

Actually the selected text does usually match the copied text. It's just that some of the text is 0 font size so you don't know that you copied it.

Twitter does this on every single tweeted link. For example copy the link in this tweet: https://twitter.com/twitter/status/727507892283142145

You don't see a https:// on the page, but it gets put on your clipboard because it is actually there with 0 font size. In this case it's actually pointless though because they cut off the end of the url.

iTerm solves this problem from the other side- if you paste something that contains newlines, you get a confirmation dialog.

It defangs this vulnerability nicely.

The problem being that with this particular vulnerability, you do get the correct text in your clipboard initially, it's just overridden less than a second later.

Combined with XSS, it may not even have to be a dodgy website. A fair number of projects encourage people to copy and paste scripts into their shell in order to install these days.

Why close the window when you can hide what you did?

    echo hacked > hacked.txt; echo -ne '\033[1F\033[2K'
    echo innocent

Or just has a fun little `rm -rf /`


        do not remove '/' (default)

`rm -rf ~/*` then

  sudo rm -rf /sys/firmware/efi/efivars/
(no, don't run that at home)

This is why I always copy a command into TextEdit (or Notepad on Windows) first, and then re-copy the clean text before pasting into my terminal.

While we are on the topic of copying and pasting. If the command downloads a script, make sure you download the script out-of-step via curl first, review its contents, and only then execute it. This avoids sites maliciously changing the script based on the User Agent.

Note that clever timing could get the "evil text" in your clipboard between checking in a text editor and pasting into the terminal. Hard to time correctly, but not impossible.

If you're taking that step, then after you paste into the clean room, you copy out of the clean room.

At first I thought "I don't do this; it's never seemed necessary", but actually, I think I do. Years of copying to a plain text editor to strip formatting have conditioned the behavior.

Yeah, I started to copy through a text box (usually the Windows Run (Win+R) box, which isn't exactly safe now that I think of it...) to strip formatting some time ago. It's pretty much necessary whenever you want to paste anything into GMail web interface. The web is getting more ridiculous every day...

ctrl+shift+v removes formatting directly when pasting

To solve this, browsers should probably disallow modifying the clipboard after a certain time period from the event. Eg. 500ms.


To solve this, browsers should probably disallow modifying the clipboard .

That would probably break a lot of WYSIWYG-like editors.

Touche. Then maybe it should be like location you opt-in per domain, as another poster said in this discussion.

They do. Browsers only let you intercept and tweak existing clipboard events.

TextEdit is RTF by default - I wonder if you can include control characters to screw with that? I use Sublime/Atom since those are plaintext by default.

Yes, switching TextEdit to default to Plain Text is the first thing I do after installing OSX.

Cool - just pointing this out since giving the advice to use TextEdit doesn't actually say 'in plain-text mode.' :)

I've started putting the preview step right inline with the curl bash instructions.

    curl -sL http://example.com/install.sh | less -eK && \
    curl -sL http://example.com/install.sh | bash

That still relies on the second `curl` fetching the same instructions as the first (an invariant that a really nasty web server wouldn't have to obey). Wouldn't it be better to use a `tee` to make sure that what you read with `less` is exactly what's executed?

(For what it's worth, it turns out that this sort of nefarious invariant disrespect was discussed at https://news.ycombinator.com/item?id=11532599 .)

I use Quicksilver, and generally paste what I've copied there first. Also lets me strip the formatting, like pasting with Shift + Option + Command + V.

I do the same but use the browser's URL bar. It's closer than opening TextEdit.

Or you could "View Source"

Yes look in this one first: all_ze_scripts.min.js (8mb).

I think drauh meant to copy the desired text from the source view, not to reverse-engineer the page to figure out its behavior.


iTerm warns you when you try to paste some text with a newline.

Since operating systems can “quarantine” downloaded files, it seems perfectly reasonable to also quarantine data that can be arbitrarily modified by remote APIs. This is doubly true when there are all kinds of ways for web sites to trick the user into visiting domains they don’t really know that they “requested”.

On the Mac, applications downloaded from the Internet are quarantined; they stay that way until you accept a warning message displayed at first launch (even if you wait days to launch it for the first time). The OS helpfully remembers where the file came from, e.g. “This was downloaded from www.notmalware.com on July 6, 2000.”.

If a web browser insists on allowing web-controlled Copy behavior, the resulting pasteboard should be given a big, black TAINTED mark that cannot be cleared without a very explicit action. If I go to another application and try to Paste, the other application should not be able to access the data without clearing the quarantine (e.g. OS provides standard dialog that shows the entire text and web site of origin, free of any white text-coloring or Unicode invisibility tricks).

I'd like to point out to everyone that isn't aware of it, this can be (sort of) done even without Javascript. Extra text can be hidden with CSS that is easily copied when highlighting other benign text, so be careful even when using Noscript.

Edit: Sorry, I didn't read close enough.

As mentioned in the first sentence of the second paragraph. ;)

Well, i goofed.

Don't forget the alt text of a 1×1 px image.

I can't reproduce this in chrome or safari. I have ublock enabled, but a cmd + c gives me the bell in iterm(fail) and if I click edit copy from the drop down, the shell echos

   "not evil"
without a line break as expected. Chrome and Safari.

edit: doesn't seem to have unexpected behavior in terminal either. Am I missing something, or does uBlock default deny the scripts that can do this?

edit 2: console log: Copying text command was unsuccessful. uBlock disabled.

Same here

How is that better than purely HTML/CSS attack (or even telling a person to use `curl blahblah | sh` command)?

This particular attack doesn't work when not using keyboard to copy (think select to copy (traditional X behavior) or using a context menu), it causes text to unselect after busy loop ends, causes fans in my laptop to start working (because of busy new Date loop), causes cursor to cease changing for a certain period of time, requires me to enable JavaScript, requires support for "copy" command (which isn't universal), and requires the user to press CTRL+C either way (otherwise the webpage won't be able to copy into a clipboard).

I guess you could paste an output after a certain time, but because of hijacking on Ctrl key, nothing can be copied before busy loop ends, and as a result, it doesn't prevent "pasting the command into Notepad" just to ensure it's safe - as either what previously was in pastebin or malicious command will be pasted.

https://xfix.github.io/mystery-zone/command.html (disclaimer: I made this page) doesn't have any of those problems (other than requiring the user to copy text in any way (CTRL+C, text selection, context menu, whatever odd interface do you have)), and it still can break vim (and for that matter, bash, zsh (including zsh with paste protection), fish, and emacs).

I remember adding an entire feature to my terminal to check for multi-line Paste because it was frustrating to execute something by accident. It never occurred to me that we would reach the point where the Copy itself could not even be trusted.

It is time to rein in all the things that web browsers are complicit in doing at the request of random web sites. There needs to be a lot more thought put into these “APIs” that sites have access to, and a lot more scrutiny of the data.

Are there any plugins that detect your clipboard is being manipulated and block the offending script from touching it, or perhaps prompt you? I'm thinking something like uMatrix for that class of JS. I can imagine that being a useful thing, if one doesn't already exist, both from the security standpoint and from the "don't add miscellaneous share crap" standpoint.

The author noted that iTerm on MacOS notifies when a paste that's about to happen contains a newline. Cmder on Windows does this as well, it's a nice feature even outside of the security concerns.

Didn't get a confirmation on iTerm 2.1.4, Firefox 46.0.1, OSX 10.11 (latest stable everything). Not sure if I missed something.

It's only in the iTerm beta IIRC. I see it on (beta) build 2.9.20160510.

Yeah, it's only in the beta/nightly builds at this point. I switched to the beta just for that feature; it's great.

Remind me again why we allow browsers to override OS copy commands?

Because the whole Web movement is trying to make browsers into the OS.

Already done; see Chrome OS, WebOS, Firefox OS, probably others.

I got you, but those are actual operating systems. Regular browsers should keep being regular browsers, limits respected...

This clipboard thing remembers me of the webrtc functionality that enable browsers to scan my network without asking me.

Related: https://news.ycombinator.com/item?id=11407536

This was disabled by default in (classic) Opera (since it was a weird microsoft addition). Was surprised how many sites do this when I switched browsers.

At the same time, it's better than those times when you had flash buttons to copy link. So I think it should be allowed to change clipboard on user's action (can it be detected?). But there certainly shouldn't be an event to change clipboard that is fired after the user copies something (selection copy, keyboard shortcut, browser ui, ..).

Yeah, I was wondering "This example is clearly broken, it won't copy at all". Glad I'm still using the best browser around!

> Note the newline character gets appended to the end of the line.

As others have already pointed out, an API for interacting with the clipboard is a terrible idea that should be removed from the browser.

However, this particular problem of pasting multi-line strings into the terminal is already a solved problem if you use rxvt-unicode. The standard package includes the perl plugin "confirm-paste"[1][2]. Enable it in ~/.Xresources

    URxvt.perl-ext-common: default,confirm-paste
confirm-paste passes single line pastes normally, but asks for a y/n confirmation before sending a multi-line paste to the shell.

[1] urxvt-confirm-paste(1)

[2] http://cvs.schmorp.de/rxvt-unicode/src/perl/confirm-paste?vi...

freaking Adobe flash.

in it's feature creep it added clipboard access.

then web site developers thought it's a crucial feature. even github used a flash element to allow easy copy of repo url. as if anyone using git can't copy. then some moron added that to the browser, and every other moron followed.

morons. copying flash...

Doesn't seem to affect select/middleclick X11 copy&paste.

Even if browsers didn't allow changing the clipboard, there's still this older problem: http://thejh.net/misc/website-terminal-copy-paste

The solution is definitely to avoid pasting commands with newlines in them into your terminal. With Vim, you can use the + register to paste (e.g. "+p). Using iTerm on OS X, I've added a custom keymap for Cmd+V, bound to Run coprocess:

    pbpaste | tr -d "\n"
which filters out the newlines.

zsh actually detects pastes into the terminal and doesn't submit the commands on newlines. This way you see the full command and have to hit enter yourself to run it.

It isn't perfect because people could try to obscure the command but in general it makes me a lot happier to paste commands into my terminal.

This. I'd argue that the issue here is more with terminals and shells than web browsers: paste shouldn't immediately start executing something. The technology to not do so has been around for years - it's called bracketed paste: https://cirw.in/blog/bracketed-paste

I must be doing something wrong, because I copy and paste multiple lines all the time into zsh (ohmyzsh on iTerm) and it will execute all but the last line (which generally doesn't have a new line on it)

Maybe your terminal doesn't indicate pasted content properly. I'm using gnome-terminal and it works flawlessly.

This was one of the first things that made me fall in love with zsh.

"Note that if I can get you to "su and say" something just by asking, you have a very serious security problem on your system and you should look into it."

- Paul Vixie, vixie-cron INSTALL file (https://github.com/rhuitl/uClinux/blob/master/user/vixie-cro...)

Doesn't seem to work in Safari 9.0.3. This was in the console "Copying text command was unsuccessful".

The full reach of this issue might not be limited to just text. It might be possible to mess with scripts in programs like Word by abusing rich text, macros and styles:


> It should also be noted, for some time similar attacks have been possible via html/css [1]

As it happens, this particular attack doesn't work in gngr [0]. The example uses an absolute positioned div to put extra text out of viewport, which is not picked up by gngr when selecting text.

gngr also doesn't enable Javascript by default, so attacks such as that described in OP are not possible from random site visits. (I recommend uBlock / uMatrix for other browsers).

However, the attack surface is really quite large here. CSS directives such as `opacity: 0.001` could be easily used to mask extra text.

  [0]: https://gngr.info/
       and https://github.com/UprootLabs/gngr
  [1]: https://thejh.net/misc/website-terminal-copy-paste

I was like why does not it works!

Then I remembered I had no script enabled, and then I remembered I don't trust JS and browsers by default, they are like OS in my OS that are way complex to be audited and they have access to way too much sensitive things (files, display, keyboard, network).

"When you’re a NoScript user and haven’t told anyone in 10 minutes" https://pbs.twimg.com/media/CWQbRunUAAAK8f6.png

Education is repetition :)

Weirdly enough, I don't think noScript is the solution (it is heavy, unpractical and I dare not look the code).

I am pretty awry of the evolution of the DOM + JS interaction and the new features brought in browsers that looks like both a cancer and instabilities to come.

Dragging the selected text to somewhere else before copying reveals the actual text to be copied (at least on Firefox): http://i.imgur.com/A7VIWtX.png

The proof of concept didn't work on Linux (Firefox) using regular Unix style copy and paste (left button to copy, middle button to paste).

So am I immune (Unix style is all I ever use) or is there a way for my browser to mess with that buffer as well?

Edit: I visited the "about:config" page, searched for "dom.event.clipboardevents.enabled", then I have set it to false, but that wasn't nearly enough. The linked PoC still works :-(

This is not the first time this has come up. In fact I wrote an article a while back on how to use this for something legitimate [1] (including mobile support).

It is far easier to execute on the desktop (by watching for the control key press, then creating a hidden div that contains the text to be copied + malicious code if necessary).

[1] https://sonalkeshav.me/2015/08/30/html5-clipboard-api/

I wasn't able to get this to work. Do I need to use CNTRL + C?

I had a similar experience in Chrome, pasting into gedit. Ctrl-C/Ctrl-V works, but menu copy/paste doesn't.

If you read the source of the website, it has a

> document.addEventListener('keydown', function(event) { ... })

Basically, press any key on your keyboard on the website, and it'll work.

You do have to use the keyboard shortcut. It executes the snippet regardless of which key sequence you press though ('keydown' event on document).

It may also be because you have no support for execCommand if it didn't work for CTRL+C.

Quite nicely iTerm2 will catch when you attempt to paste new line characters and warn you about it. Mostly it's useful when I've accidentally copied an extra line, but protecting against malicious abuse is a useful plus.


The iTerm feature at the end is very thoughtful. I wish other terminals provided that feature.

With the gimmick of slipping the newline in aside, you can really go nuts on the ampersand.

I may be the one guy using it, but I can't repro this on Safari + iTerm nightlies...

Same here. Safari + iTerm nightly. Cmd+C/Cmd+V on other text works but for the demo the author provides, I get no content. The previous clipboard content isn't overwritten on copying "no evil".

Default Terminal for OSX pasted the evil copy as expected. iTerm gave me a warning.

On the web, I always right-click, inspect, edit html, and copy what I'm after

Shameless self plug

Just wrote https://github.com/awalGarg/realcopy to "counter" this. Plan to add for FF as well.

If you use a clipboard manager (I use the one built into LaunchBar) you can preview the contents of the clipboard without having to paste into a text editor. It takes seconds and is a good habit to develop.

[1] is not working on OS X 10.11.5 / barebones Safari 9.1.1 (11601.6.17)

[1] https://security.love/Pastejacking/

Well once more I'm happy to browse with noscript by default ;)

Aaand this is yet another reason to disable JavaScript. Why should a site I'm visiting be able to *$&% with my clipboard without my consent?

This is somewhat terrifying. My fear is that a prankster will make the pasted command be `rm -rf / \n'

I can't believe vim allows executing commands when pasting text. Who on earth thought it was a good idea?

It's not something that vim explicitly allows, it's a side-effect of running the editor in a terminal. When you paste into a terminal, it's as if the keys are actually being pressed, rather than just text inserted.

The proper way of pasting into vim, which doesn't have this problem, is "+p (as mentioned in the article).


    :set paste

I just used it today to run 200 commands I generated from Excel.

This could be really horrible, especially if you use a password manager and copy and paste your password......

rxvt also protects you from this by warning about multi-line pastes with the "confirm-paste" plugin

This is one of the innumerable reasons why copying and pasting commands on the fly is wrong.

This also includes the awful popular installation commands in the form of "curl -s ... | sh" - which means you are basically giving your computer in the hands of a third party.

> which means you are basically giving your computer in the hands of a third party

As opposed to any other installation method? Do you regularly vet the entire source code of software you install?

I think an actionable takeaway is: even if the curl/wget/whatever points to a trusted https:// domain, the page you're copying from also needs to be on a trusted https:// domain.

Even if its a trusted https:// domain, it can still be compromised. (https://blog.jquery.com/2014/09/24/update-on-jquery-com-comp...)

Always review the script first.

You trust the upstream to provide you with a safe program, but not a safe installer? That makes zero sense, and your link doesn't provide any evidence to the contrary

Yes, you are correct if the application and script are on the same domain. The link is simply an example of a major 'trusted' domain being compromised.


No, but I can verify the hash of the installer before I run it though.

And who provided you with the hash?

For distro packages? Any number of alternate download sources.

But I agree with your greater point; hashes are better used as a guard against file corruption than fuckery.

If the program you want to install is included in your distribution's packages then this whole discussion is moot. We are talking about ways of installing from third-party sources.

Thought I would find Mario Heiderich's presentation on the topic. Here you go : General approch to the problem of security of copy/paste buffers : https://insomnihackdotme.files.wordpress.com/2015/03/copypes...

>How do you protect yourself?

I am already using a terminal emulator that warns me when I paste multiple lines (ConEmu).

    fu9ar@traveler ~ % ^[[200~echo "evil"
It works, but it also doesn't work.

Usually I use the middle-click-to-paste feature, which just doesn't work at all.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact