Why You Shouldn't Copy

Tempted to copy-paste a command online? Think twice.

From computers to mobile phones, copy-pasting is prevalent everywhere. It makes life easier and saves you time as you don't have to type long commands or redundant texts. However, if you aren't careful enough, you can get hacked by simply copy-pasting commands on your computer's terminal.

Let's learn how copying and pasting can get you hacked, and what you should do to prevent it.

Whether you're new to using the command line or you're a seasoned veteran, you may be tempted to copy-paste commands from the internet to save your time and get actual work done. However, you should be aware that malicious sites are actually weaponizing code boxes to inject malicious code whenever you copy-paste commands directly into the terminal.

These malicious actors are using various frontend tricks to conceal malicious commands behind harmless-looking code.

A command like sudo apt-get update && apt-get upgrade should normally update the repositories and upgrade the packages on a Linux system. However, if you're unaware and copy-paste this command directly into your terminal, you might be unknowingly executing malware code with root privileges due to the sudo prefix.

In the worst-case scenario, this could possibly result in a complete takeover of your system or even a ransomware attack. But, how do the threat actors do this? How can malicious commands be hidden behind harmless code?

This exploit can be carried out using cleverly crafted JavaScript or even basic HTML. JavaScript has a mechanism called EventListener. Events are actions that can happen in the browser, such as clicking a button, submitting a form, mouse movement, pressing keystrokes, or resizing the window.

The EventListener, as the name suggests, enables your web application to react to certain events triggered by user action. Malicious webpages exploit this legitimate and useful mechanism by capturing the event where a user is copying text and replacing the harmless text with malicious code.

Here's the main exploit code used to build the demo image:

Here's another demo, that doesn't require any JavaScript and uses vanilla HTML:

This creates an invisible white text, effectively hiding the malicious command "rm -rf /" and the <br> tag creates a line break so that some terminals will immediately execute the code upon pasting it. You might think that a strong grasp of programming and web development skills are required to carry out this attack but, in reality, it's actually quite easy.

Even if an attacker doesn't have any knowledge of JavaScript or web development, they can easily create malware using ChatGPT. With the right prompts, one can easily jailbreak ChatGPT and make it create malicious web pages that make use of this trick.

There's no concrete way to protect yourself against malicious code attacks. Sure, you can disallow JavaScript for suspicious sites but, by their nature, they probably wouldn't allow you to browse without JavaScript turned on.

Moreover, for the CSS (Cascading Style Sheets) method, there's no concrete defense against malicious commands since it's still valid CSS code (i.e. there's nothing wrong with it but the intent is still malicious). The best way to protect yourself would be just to follow basic internet hygiene and have your wits about you.

Don't visit unknown links and make sure to always paste the command you're copying from the internet into a text editor before pasting it into the terminal. Stick to legitimate and reputable code resources to make sure you're not welcoming malicious code into your command line.

Additionally, a few terminals, like the xfce4-terminal come pre-equipped with copy-paste protection. It will display a pop-up that will tell you exactly what will be executed as soon as you paste a command in your terminal. Check if your terminal too has a similar mechanism and activate it.

Even if you've got antivirus installed, certain forms of malicious code execution can still penetrate your device's protective barriers. This is why it's crucial to be wary of the code you copy online and employ protective measures wherever possible to keep yourself safe.

Debarshi Das is an independent security researcher and a Cybersecurity Trainer with a passion for writing about cybersecurity and Linux. With over half a decade of experience as an online tech and security journalist, he enjoys covering news and crafting simplified, highly accessible explainers and how-to guides that make tech easier for everyone. While he's programming and publishing by day, you'll find Debarshi hacking and researching at night.