Source: the author
Yesterday I saw something on Reddit that shocked me.
We all do it almost every day — we look for something on the internet, find a website, copy terminal commands, and other things directly from the site.
Then we paste them directly into the terminal to install things, write code or make configurations.
But there is a huge problem: copying text on a website can be exploited extremely easily with JavaScript.
JavaScript can react to the press of “copy” or the key combination and write something into the clipboard on its own — completely independent from the text we actually wanted to copy.
This can cause us to paste commands into our terminal that we did not want.
Even bigger is the problem that depending on the command we insert, we don’t even have to confirm the execution by pressing enter.
If the command contains a new-line \n, it will be executed immediately when we insert it into the terminal.
Here you can see an example:
Source: the author
You can try it out for yourself here.
As you can see, I just paste the copied code, and it will be executed immediately.
If you already have root privileges in the session at this point, almost anything is possible. A single command that you don’t expect can destroy important files or install software and execute it immediately.
I have tried it on a Windows PC & MacBook — in Firefox, Safari, Chrome & Opera. It works everywhere — no matter if you click on copy in the context menu or use the key combination.
Here is how easy it is
As already mentioned, the whole thing works with JavaScript. We can react individually to the copy event in the browser. JavaScript can suppress the standard reaction (i.e., the copying of the actual text). As you know, it is also possible to save to the clipboard with code.
Combining both provides the exploit.
With document.getElementByIdwe select the element for which we want to intercept and manipulate the copy event. First, we add the event listener to the copy-event.
Then we call a function to save text to the clipboard.
Finally, we block the default event, which the browser would execute — the non-manipulated copy to the clipboard works without JavaScript.
That the browser copies the text itself is now suppressed.
Do not trust copy-to-clipboard-buttons either.
I think this is self-evident. On many websites, a copy-to-clipboard button is offered. Here the same function is used to copy something manually — of course, you can manipulate what is copied.
How you can protect yourself
The only real possibility is to paste everything you have copied somewhere first, for example, into a text file.
Then you can see what it is and decide if you want to run it.
Many thanks for reading! If you are interested in the limits of what is possible on the web, here is more that might interest you:
Summing up
I see the whole thing as a huge security problem. For many developers, it is a normal routine to copy and paste things. Often we do it many times in a row, for example, to install and configure whole applications from the console.
I have already mentioned this on Twitter — I can’t think of that many good reasons why it should be possible to suppress text copying with preventDefault.
You can still use the copy to clipboard function without it.
Every developer can also develop his own context menu, which is unfolded by right-clicking on something. This provides the functionality to copy and paste drag-and-drop elements on many pages.
The fact that an element has been copied is saved in the app-state, there is no need to save anything to the clipboard.
Cases I know of where preventDefault is used for copying visible text is when the author of the page wants to automatically add a link or something else to the copied text.
