Paste Jacking
-
Don't copy and paste code off the net into your terminal ever.
-
Kinda interesting. Not sure why meddling with the clipboard is now seen as a feature.
OTOH, couldn't repo it myself with Firefox+Vimperator. Not sure what exactly breaks, but I tried all four copy-pasting variants (select text + middle-click to paste, shift-Y, ctrl-C with ignore keys, and right-click + select "Copy").
-
@cvi Worked for me. I usually add # before pasting, but that's obviously trivially easy to get past.
I should probably paste into a text editor first I guess. A normal text editor, not fucking vim.
-
@cartman82 said in Paste Jacking:
A normal text editor, not fucking vim.
Yeah. I tried it by pasting into vim, them went on to read the rest of the page. It's rather unusual to see exploits targeting vim specifically. :-O
-
This isn't a new thing. This was reported, and discussed here more than a year ago. Can't be arsed to find the thread.
-
Ok, so here's what I'll be doing from now on:
<<gfhjgfhdfhdf
then paste the stuff.
If I get something like this:
<<gfhjgfhdfhdf rm -rf ~
Ctrl+D, don't use this pasted code. Report the site, I guess? Probably just shitpost on WTDWTF.
Alternatively:
<<gfhjgfhdfhdf echo "safe"
Ctrl+D, up arrow (to bring back the prev command), Home, delete the
<<gfhjgfhdfhdf
part, press enter to run it.
-
@cartman82 said in Paste Jacking:
A normal text editor, not fucking vim.
Any program that knows that a Paste is Just a Paste (a smile is just a smile, …) will be OK.
-
@cartman82 This is what I do, I just stick anything into gedit / notepad++
-
It didn’t work for me when copying from Safari; checking the console, that says the script logs “Copying text command was unsuccessful”. Trying it in Chrome, though, it does work.
-
-
@DoctorJones I'd die too, if I fused my hand with a giant plastic desk block.
-
@lucas1 said in Paste Jacking:
Don't copy and paste code off the net into your terminal ever.
Not a new phenomenon - earliest reference I'm aware of was 8 years ago.
-
@PJH TBH even if it isn't supposed to be malicious it can still be harmful if you aren't aware what you are doing.
When Ubuntu Warty was released in 2004 there were a lot of people that "helping" noobs, I saw a few things like this:
dd if=~/home/something.iso of=/dev/sda bs=512
"/dev/sda" at the time was the first disk on a sata controller (usually) and the command would have nuked everything.
-
@lucas1 That's ok, they can just hit control-Z and undo it.
-
-
@lucas1 :noscript.txt:
-
-
@fbmac said in Paste Jacking:
@cartman82 said in Paste Jacking:
fucking vim
is there a vim command for that?
Not sure. There's probably an emacs macro for it though.
-
We're worried about pastejacking now? There are still people piping curl to bash!
-
-
-
@anotherusername said in Paste Jacking:
@Lorne-Kates said in Paste Jacking:
@lucas1 :noscript.txt:
@PJH's link didn't even use scripting:
Oh, the irony...
-
@PJH said in Paste Jacking:
@julianlam said in Paste Jacking:
There are still people piping curl to bash!
TRWTF is that later that hour I admitted to piping curl to bash to install nvm.
-
@Lorne-Kates said in Paste Jacking:
@lucas1 :noscript.txt:
You don't always need the help of javascript to do this kind of prunk.
Try the following on a local test page:
echo "Hello <div style="display: inline; opacity: 0; float: right">new</div> World!"There's lots of way to inject content when you copy and paste web contents. (And this has legitimate use: To inject "watermarks" on online novel sites so people cannot just "copy and paste" it to another sites without finding some way to filter unwanted text out.)
-
@julianlam Yeah and some people just committing broken-ass code directly to their master branch without any sort of testing or code reviews!
-
@cheong said in Paste Jacking:
You don't always need the help of javascript to do this kind of prunk.
Try the following on a local test page:
echo "Hello <div style="display: inline; opacity: 0; float: right">new</div> World!"Something similar works in the JS console too (Firefox and Chrome):
console.log("Hello %cnew %cWorld!", "font-size:0;", "")
Guess what's copied if you highlight that
Hello World!
and copy it?
-
Now I remember why the term "Paste Jacking" kept tickling memories of something:
Something*Positive:
-
@dkf said in Paste Jacking:
@cartman82 said in Paste Jacking:
A normal text editor, not fucking vim.
Any program that knows that a Paste is Just a Paste (a smile is just a smile, …) will be OK.
A woman is only a woman.
Filed under: but a good cigar is a smoke
-
@blakeyrat master != stable