Pastejacking: using malicious javascript to insert sneaky text into pasted terminal commands

When a computer stops behaving, the solution often involves looking up an obscure command and pasting it into the terminal — even experienced administrators and programmers aren't immune to this, because remembering the exact syntax for commands you use once every couple years is a choresome task.

For many years, security researchers have warned that CSS can be used to trick users by putting different text on the clipboard than the highlighted text on the screen, inserting malicious commands in place of innocuous ones.

But a new attack, dubbed "Pastejacking," uses javascript to make much sneakier clipboard insertions, including one proof-of-concept that changes the content of the clipboard over time, so a quick paste produces a different result to one that comes later.

The default Mac terminal warns users when they're pasting commands that have a carriage return, and gives them the option of removing it. This seems like a good countermeasure to me — I'd like a version for my terminal program that let me always strip out CRs when pasting.

echo "not evil"

Will be replaced with

echo "evil"\n

Note the newline character gets appended to the end of the line. When a user goes to paste the echo command into their terminal, "evil" will automatically get echoed to the screen without giving the user a chance to review the command before it executes. More sophisticated payloads that hide themselves can also be used, such as something demoed here and seen below

touch ~/.evil
echo "not evil"

This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal.

Pastejacking [Dylan Ayrey/Github]

(via /.)

(Image: DEC VT100 terminal, Jason Scott, CC-BY)