Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Pastejacking Attack Allows Hackers to Execute Malicious Code

The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.

The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.

Experts demonstrated several years ago that HTML/CSS tricks could be used to add arbitrary content to the clipboard without the user’s knowledge. However, the method detailed by developer and security expert Dylan Ayrey, dubbed “Pastejacking,” relies on JavaScript to accomplish the task.

“What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM,” Ayrey explained.

A proof-of-concept (PoC) developed by the expert shows the threat posed by a Pastejacking attack when the user pastes commands copied from the web browser into the terminal. The example provided by Ayrey shows how an attacker can trick the user into thinking that they are copying echo “not evil” when in fact the string that gets copied is echo “evil”\n.

The \n (newline) character ensures that the command is executed automatically when pasted into the terminal without the user having to press the enter/return key. This means that the victim doesn’t get to see what they are pasting before it gets executed.

It’s worth noting that Ayrey’s PoC only works if the code is copied using keyboard shortcuts. However, the advantage is that the malicious content is added to the clipboard regardless of what piece of text is copied from the PoC page.

Malicious actors can use even more sophisticated payloads where a sequence of commands is executed. For instance, the expert demonstrated that the attacker can create a file in the home directory, clear the terminal, and display the command the user intended to copy in an effort to avoid raising suspicion. Sophisticated payloads can also be used if the attacker serves malicious code designed for execution in the vim text editor.

“This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal,” Ayrey said.

Advertisement. Scroll to continue reading.

The attack method does not work against Apple’s Safari browser, and some applications, such as the OS X terminal replacement iTerm and the Windows console emulator Cmder, show warnings when a command containing the newline character is about to be pasted.

While many believe they would never fall for such tricks, some pointed out that it’s not uncommon for users to copy and paste commands from websites such as StackOverflow.

Pastejacking attacks can be mitigated by disabling JavaScript or by making various settings changes in the affected applications. However, the easiest way to avoid falling victim to such attacks is to be cautious when pasting content from questionable sources.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.