Put away your wget and curl, your SOAP clients and WSDLs, WebDAV servers, REST APIs and JSON callbacks; when it comes to moving data off websites and on to your computer the sticky stuff that greases the wheels is copy and paste.
This side of haptic gloves, Ctrl+C and Ctrl+V is as close as we can get to reaching out and grabbing something off the web. It’s the cyber-grab you cyber-learn in your cyber-infancy and never cyber-forget because you endlessly cyber-repeat it.
Repetition teaches us that what goes in to our hand when we Ctrl+C (grab something) comes out of our hand when we Ctrl+V (let it go).
But what if it didn’t?
What if you reached out to grab one apple but when you opened your hand you had a pear? Or a piranha?
Pastejacking with Javascript
Javascript is a programming language that can be embedded into HTML web pages and, perhaps more than any other technology, it’s what turned the web from a collection of documents you could read into a collection of applications you can use.
It can’t break out from your browser and put things on your computer, but within the sandboxed confines of a web page it can access all sorts of powerful functionality that makes possible everything from Nyan Cat to Gmail (and, when you’re all nyaned-out, Chrome Experiments.)
With your permission it can trigger push notifications and geolocation, and without your permission Javascript can store megabytes of data in your browser’s cache, open windows, move things around the page, draw things on virtual canvases, log your keystrokes and track your mouse.
And, thanks to a function called execCommand('copy') it can paste cyber-pirhanas to your clipboard too.
An excellent demonstration of how to do this and why it’s a bad idea has been put together by hacker Dylan Ayrey on Github and his personal site security.love.
In the demo, users are invited to copy the text echo "not evil" and witness with horror as what they actually paste is the cruelly different echo "evil"\n.
The execCommand('copy') command that performs this magic has to have a trigger, known as an ‘event’ to run, so Ayrey’s code uses the keydown event which happens to be triggered when you use the keyboard shortcut for Ctrl+C. The code then waits 0.8 seconds and switches out the text from your clipboard.
The snippets of text in the example aren’t just words, they’re valid computer commands that can be run inside a terminal window (that mysterious, featureless black window with white text that ‘power users’ never see and real geeks use to get work done).
The \n on the end of echo "evil"\n is a newline and if you type a newline into a terminal window it will run the preceding command immediately.
In other words Ayrey has offered you something that won’t run until you tell it to and then replaced it behind your back with something else that will run as soon as you paste it.
Luckily for anyone using Ayrey’s example it’s a benign command that ends up getting run, but of course it doesn’t have to be; an attacker could just as easily make you think you’re copying something safe and replace it with a command that deletes your home directory and steals your password file.
Pastejacking with CSS
If you switch off Javascript altogether or use a browser add-on like NoScript that allows you to choose when to run javascript you can render yourself invulnerable to Ayrey’s pastejacking technique, but there’s another way to smuggle commands in to your clipboard that doesn’t rely on Javascript.
HTML is the language the web pages are written in but it’s CSS (Cascading Style Sheets) that determines how they look.
It’s CSS that rearranges pages to work in everything from phones to cinema screens, sizes text, adds columns, adds colour, rounds edges, positions logos, and supplies the white space that designers love to add and clients love to ask designers to remove.
It can also be used to position things on the page or, more usefully for malicious pastejackers, off the page where you can’t see it.
Hacker Jann Horn has a demo that shows just this technique on his website thejh.net.
In Horn’s example, what appears to be a command to copy a git source repository:
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
…is in fact a much longer command that still copies a git source repository but not before it’s written out a personalised warning alongside the first line of your password file.
git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust! Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
Under the hood, in the page’s code, all the text is there as you see it above but Horn has used CSS to display the nasty bit in the middle 100 pixels above and to the left of the page where you can’t see it.
Don’t trust cut and paste from web pages
For programmers, developers, admins, hackers and geeks of all flavours the web is the most useful learning tool imaginable. Examples of code are everywhere on the web ready to be deciphered, discussed, questioned, picked over, picked apart and, above all copied, pasted and run.
Unfortunately, thanks to CSS, you don’t necessarily know what you’re copying and, thanks to Javascript, you don’t necessarily know what’s in your clipboard.
There are terminals that will warn you if you’re pasting something that ends in a newline character, and there are browsers, say Lynx or Mosaic, that can insulate you from the modernity of CSS and Javascript. The best defence, however, is one that anyone with the knowledge and inclination to copy and paste commands into a terminal should know by heart already: you can’t trust user input.
I suggest that you don’t rely on third party tools to save you – just assume that everything is hostile until you’ve sanitised it or proved it’s OK.
The simplest way to do that is to paste anything you copy from a web page into something that can’t run commands, like NOTEPAD or TextEdit and examine it first.
Then copy it again and paste it where you really want it.
Wilderness
Gah!
foo
“…the sticky stuff that greases the wheels is cut and paste.”
“…Ctrl+C and Ctrl+V is as close as we can get to reaching out and grabbing something off the web…”
It should be copy and paste, not cut and paste. CTRL+C = copy; CTRL+X = cut.
Paul Ducklin
Fixed, thanks.
Chris
Paste to a text editor, then copy and paste from that if you still like what is on offer. I do it already to discard formatting.
Paul Ducklin
That’s what we suggested at the end of the article :-)
treFunny
This is a good idea anyway to clear formatting… cant tell you how many times people cut and paste a username (or pw) and the form field they paste into is too small to see the end of the text pasted.. additional formatting was included resulting in a failed login because “username%22_5” isn’t valid.
Then the user calls: “is there something wrong with the internet”… gah!
Jerry
Hi, Found this article very interesting, and realised I must change what I’ve been doing. So I duly cut and pasted it into notepad, went to examine it with security scan, but then found that I hadn’t got that option. Just how do I examine it in notepad, before cutting and pasting it onto a document to be saved on my computer? Sorry, I clearly am not technical enough to follow through on this article. Great warning, but what should I do with it while its in notepad to examine it. Can you please explain?
Paul Ducklin
The main thing to look out for in the trick we describe here is whether what you pasted into NOTEPAD looks different from what you copied from the web page. The danger we describe here is that you might run a command by mistake, but there’s also the more mundane problem that you might simply end up with bogus data, such as “£500” instead of “$5”, or “Dear Boss,[blank line][blank line]I quit!” instead of simply “Dear Sir”.
Google does something akin to this with its search links. Try searching for, say, “banana.” The first link is to the Wikipedia entry, which shows up when you hover over it as:
https COLON SLASH SLASH en.wikipedia.org/wiki/Banana
That looks neat, tidy and definitive, so you think, “I know, I’ll copy and paste that link for reference purposes.”
But when you hit Ctrl-C, what ends up in the clipboard is Google’s tracking-flavoured link, something like:
https COLON SLASH SLASH www.google.com/url?...[etc]...&url=https%3A%2F%2Fen.wikipedia.org...[etc]...
Better to find that out through the intermediate step of pasting it via NOTEPAD than blindly pasting it into a message to a friend and hitting [Send].
Think of it as a second chance to review whether What You Saw Was Really What You Got :-)
Jerry
Hi Paul, many thanks for your further explanation. I got it this time! I suspect from your explanation because I was cutting and pasting into a text / word document in open office I was ‘safe’ anyway. But I’m more than happy to try it first via notepad if it means avoiding any potential problems as you have described. Excellent newsletters. Always something educational / worthwhile in them.
cakmn
I’ve noticed that some news sites add text to whatever one copies from their articles. The text typically says something on the order of “To read the full article, follow this link ,” with the link being to the article the text was copied from. I see this when I copy part of the text of the article to include in a post when I share an article on Facebook. I almost always paste the copied text into a text editor to incorporate it into my commentary to go with with the post. I never before thought about the possibility of undesirable material being added to the Copy that way, so thanks for the informative article.
qqq
My local news site does same thing. To make things worse when you paste something into their command box to quote your comment doesn’t get posted because of the link…
This should be treated as malware.
Ken Brody
I’ve seen this for quote some time, when the pasted text included the URL the text was copied from. (I forget which website does this.) I never really looked into how this was done. Thanks for a peek
Anonymous
What about clip art? Or is this just for text?
Paul Ducklin
If you’re copying graphics and formatting, pasting into NOTEPAD won’t work as it is deliberately “lossy.”
Presumably you aren’t pasting the image into a terminal or other command window, though?
Jerry Jensen
Is “paste as plain text” as good as using notepad as an intermediary?
Mike Sierra
How does all this effect “Click an drag” (I hope I have that right”).
I use this method when copying from the web to an Open Office or Libre Office document to
save to my computer.
Paul Ducklin
I don’t know, but I have always assumed that click-drag-drop is the same as copy-move-paste. Which is probably a risky assumption :-)
p almonius
Not dangerous but annoying are news sites that concat the URL to the page in anything you copy. These are usually the ones where you just want to google something that appeared in the article …
Shirley Marquez
Unfortunately, pasting into Notepad or the like also costs useful functionality. If you copy styled text with the intention of importing the styles into your word processor, forget it – if you go via Notepad all you get is plain text.
Paul Ducklin
True, but the idea here is quite deliberately to *lose* any hidden markup when you know you’re trying to copy text and don’t want any “formatting surprises”.
Anonymous
NoScript is quite useful, it defeats a lot of user tracking by third parties that is all too prevelant, especially on the so called news websites.
Steven Murphy
“In the demo, users are invited to copy the text echo “not evil” and witness with horror as what they actually paste is the cruelly different echo “evil”\n”.- Notice it did not change
I tried it again – success. I always get what I copy
Exception – If I copy news article I get url of article or refuse to paste to – sometimes
rich
As I understand the article, the danger of undesired code execution described here occurs when pasting into a terminal or other command window.
Is undesired code execution also a risk when pasting into workaday email or office documents? If not, then–other than formatting issues–what is the danger of reviewing the validity of the pasted text directly in the desired email or office document without using an intermediary plain-text editor?
Micah Henning
This really isn’t a big deal. If you go to the researcher’s example you’ll see that anything you copy yields the same pasted content; the keyboard event fires regardless of the content copied. And right-clicking content and selecting copy yields the correct result. Only keyboard users are affected here.
Furthermore, truly sensitive actions would prompt for an administrative or root password in Windows, Mac OS, and *nix operating systems. An individual copying “good code” would suspect something fishy when the pasted “bad code” stops to receive a password, especially if the individual did not expect a password to be required at all.
Anonymous
But on a phone???