Other issues in this category (38)
Ctrl + C, Ctrl + V = THREAT
We all copy pieces of texts from sites or documents every now and then. The Anti-virus Times has already warned its readers that clicking on links can be dangerous because, by doing so, users can trigger the execution of another command. But now it turns out that copying plain text can be hazardous too.
Everyone knows that sites can monitor (and block) attempts to copy information from them. But this feature can also be used to inject additional information into the clipboard. For example, some sites add a link to the page the text is being copied from. And since there is a way to add harmless data, why not opt for something malicious? And you'll never notice!
To conceal the additional information, attackers can employ special characters. Here is an example for the vim utility which is well known to Linux users:
In this demo users are offered the ability to copy a string from the browser window (select the text and press Ctrl+C):
echo "not evil"
Pasting the contents into the terminal window will reveal a different string:
To hide the altered content, attackers can use such commands as "clear" and "echo -ne '\033[1F\033[2K'". Here is another example:
echo "not evil"
This means that by inserting commands into the altered text, an attacker can replace the text you want to copy with the string they need.
The attack options are many. Many programmers make use of the git version control system. Access to the system can be facilitated via a website.
A description of another attack was published. It shows how a portion of code being output using the "git diff" command (often used to examine patch code) can be concealed . By introducing the escape sequence "[8m" into the code, an attacker can make some of it invisible in a VT100 terminal window.
For non-programmers: the printf command should display the phrase "I'm just a stub!”. Instead, it outputs "I'm just a stub! Insert bad backdoor here...!". - a portion of the text is not displayed.
And this attack was discovered in 2013, but it still works:
The attack concept exploits users' confidence when they copy command examples from various sites.
By using the “span” element, an attacker can push an unsuspecting user into copying invisible text and thus make them execute arbitrary command in their terminal.
You can open the link yourself, copy the string that starts with “git clone" and see what text will actually be pasted.
- Don't believe what you see: before you choose to execute a piece of code or hit Enter, check what you've actually copied.
- Insert the string into a plain text file rather than an office document or the command prompt.