Put away your wget and curl, your SOAP clients and WSDLs, WebDAV servers, REST APIs and JSON callbacks; when it comes to moving data off websites and on to your computer the sticky stuff that greases the wheels is copy and paste.
This side of haptic gloves, Ctrl+C and Ctrl+V is as close as we can get to reaching out and grabbing something off the web. It’s the cyber-grab you cyber-learn in your cyber-infancy and never cyber-forget because you endlessly cyber-repeat it.
Repetition teaches us that what goes in to our hand when we Ctrl+C (grab something) comes out of our hand when we Ctrl+V (let it go).
But what if it didn’t?
What if you reached out to grab one apple but when you opened your hand you had a pear? Or a piranha?
It can’t break out from your browser and put things on your computer, but within the sandboxed confines of a web page it can access all sorts of powerful functionality that makes possible everything from Nyan Cat to Gmail (and, when you’re all nyaned-out, Chrome Experiments.)
And, thanks to a function called
execCommand('copy') it can paste cyber-pirhanas to your clipboard too.
An excellent demonstration of how to do this and why it’s a bad idea has been put together by hacker Dylan Ayrey on Github and his personal site security.love.
In the demo, users are invited to copy the text
echo "not evil" and witness with horror as what they actually paste is the cruelly different
execCommand('copy') command that performs this magic has to have a trigger, known as an ‘event’ to run, so Ayrey’s code uses the
keydown event which happens to be triggered when you use the keyboard shortcut for Ctrl+C. The code then waits 0.8 seconds and switches out the text from your clipboard.
The snippets of text in the example aren’t just words, they’re valid computer commands that can be run inside a terminal window (that mysterious, featureless black window with white text that ‘power users’ never see and real geeks use to get work done).
\n on the end of
echo "evil"\n is a newline and if you type a newline into a terminal window it will run the preceding command immediately.
In other words Ayrey has offered you something that won’t run until you tell it to and then replaced it behind your back with something else that will run as soon as you paste it.
Luckily for anyone using Ayrey’s example it’s a benign command that ends up getting run, but of course it doesn’t have to be; an attacker could just as easily make you think you’re copying something safe and replace it with a command that deletes your home directory and steals your password file.
Pastejacking with CSS
HTML is the language the web pages are written in but it’s CSS (Cascading Style Sheets) that determines how they look.
It’s CSS that rearranges pages to work in everything from phones to cinema screens, sizes text, adds columns, adds colour, rounds edges, positions logos, and supplies the white space that designers love to add and clients love to ask designers to remove.
It can also be used to position things on the page or, more usefully for malicious pastejackers, off the page where you can’t see it.
In Horn’s example, what appears to be a command to copy a git source repository:
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
…is in fact a much longer command that still copies a git source repository but not before it’s written out a personalised warning alongside the first line of your password file.
git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust! Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
Under the hood, in the page’s code, all the text is there as you see it above but Horn has used CSS to display the nasty bit in the middle 100 pixels above and to the left of the page where you can’t see it.
Don’t trust cut and paste from web pages
For programmers, developers, admins, hackers and geeks of all flavours the web is the most useful learning tool imaginable. Examples of code are everywhere on the web ready to be deciphered, discussed, questioned, picked over, picked apart and, above all copied, pasted and run.
I suggest that you don’t rely on third party tools to save you – just assume that everything is hostile until you’ve sanitised it or proved it’s OK.
The simplest way to do that is to paste anything you copy from a web page into something that can’t run commands, like NOTEPAD or TextEdit and examine it first.
Then copy it again and paste it where you really want it.
(The post has been translated into Italian with explicit permission of Naked Security )