You think it is harmless. You want to capture a snippet of code from an online tutorial for future use. You don’t want to re-type it for fear you will make a mistake. So, you decide it’s faster and easier to just copy and paste. Are you aware of what could happen? Did you just make a mistake?
In the code you copied, a hacker may have hidden malicious code that could download and install malware on your computer without your knowledge. If there is an opportunity, a hacker will exploit it. You may think that you will never fall for such a trick but mistakes do happen.
Out with the Old – In with the New
Appending malicious content to a clipboard is not a new concept. Exploits within Cascading Style Sheets (CSS) have been used in the past. An attacker can use CSS to append malicious content in a clipboard without the user knowing making it easy to execute commands. This is known as clipboard hijacking.
A newer version of the attack using JavaScript was demonstrated on GitHub by Dylan Ayrey, a Full Stack Developer. In the demonstration, he shows that you do not need to grab the entire text to execute a command. The JavaScript code could cover the entire page and all that needs to be captured is one letter.
This is known as pastejacking. It is when a victim doesn’t see what they are pasting before it is executed. It is executed using only the keyboard shortcut (CTRL-V) with JavaScript enabled.
A key differentiator in pastejacking is that the code can be delayed to execute after an event. An attacker can wreak hack by combining pastejacking with a malicious phishing email.
The Bypass
There are a couple of options that you can take to prevent code running. You can turn JavaScript off or you can copy the content first to a text editor. This poses as an intermediate measure. No code will be executed here. You can see if there any additional lines of code that you did not select before pasting it to where you really want it to go.
There are third-party tools that give you control on whether a script has permission to run, temporarily run or be blocked from a particular site. The problem is that these tools are not 100% foolproof.
In the research paper CrossFire: An Analysis of Firefox Extension Re-Use Vulnerabilities, it identifies nine out of the top popular browser add-ons for FireFox that contain exploitable vulnerabilities. NoScript is one of them. These add-ons are susceptible to what is known as an extension re-use vulnerability. An attacker can piggyback off the trusted add-on extension to conceal malicious behavior.
Conclusion
Don’t rely on third-party tools to protect you from hidden malicious code. Don’t rush to paste that text into your computer. The best course of action is to review what you have copied first in a text editor. Be of the mindset that what you copied is potentially hostile until you have sanitized it.
Leave a Comment