Old tricks are new again: Dangerous copy & paste
Contributed by: Email on 04/16/2013 02:26 PM [ Comments ]
Copying and pasting something does not necessarily mean the user will get what they think they are getting. With a little bit of HTML magic, one can even trick unwitting web site visitors into executing shell commands without their knowledge. The trick is by no means new, but it is currently being demonstrated again on several web sites which means Linux users especially have to be careful what they copy and paste.
In theory, the trick does work in Windows and Mac OS X as well, but on those platforms it is usually harder to get users to open a command line window and paste commands into it. For many Linux users, however, this behavior is still a normal thing to do. Many how-to guides and documentation pages include commands such as sudo apt-get install package name that users are expected to either duplicate manually or, the more likely approach, copy and paste into a command-line window. Most users will copy and paste such commands as that approach is more convenient to them.
A page on The H's Browser check shows how this behavior can be exploited. When a user pastes what they think is an innocent command that does what the page they pasted it from advertises, another command is actually executed with their credentials automatically. This could delete all of their data or send them to a server on the public internet. If the user is still authenticated with sudo on a Linux machine, the command could even be executed with administrator privileges which could lead to much more dangerous results.
In theory, the trick does work in Windows and Mac OS X as well, but on those platforms it is usually harder to get users to open a command line window and paste commands into it. For many Linux users, however, this behavior is still a normal thing to do. Many how-to guides and documentation pages include commands such as sudo apt-get install package name that users are expected to either duplicate manually or, the more likely approach, copy and paste into a command-line window. Most users will copy and paste such commands as that approach is more convenient to them.
A page on The H's Browser check shows how this behavior can be exploited. When a user pastes what they think is an innocent command that does what the page they pasted it from advertises, another command is actually executed with their credentials automatically. This could delete all of their data or send them to a server on the public internet. If the user is still authenticated with sudo on a Linux machine, the command could even be executed with administrator privileges which could lead to much more dangerous results.
Comments