This sort of <i>attack</i> has been discussed in great detail previously:<p><a href="https://news.ycombinator.com/item?id=10554679" rel="nofollow">https://news.ycombinator.com/item?id=10554679</a><p><a href="https://news.ycombinator.com/item?id=5508225" rel="nofollow">https://news.ycombinator.com/item?id=5508225</a><p><a href="http://thejh.net/misc/website-terminal-copy-paste" rel="nofollow">http://thejh.net/misc/website-terminal-copy-paste</a>
Not sure if this is iTerm2 or zsh, but I have to confirm the code I am pasting by pressing enter, which gives me an opportunity to review it first. I like this feature a lot.
Even more interesting: given the plethora of options terminals have for coloring, moving, erasing and similar, is it possible to hide malicious input from the shell too so that the victim is unaware of it?
What I usually do since I've been shown this kind of attack :<p>- Ctrl-X Ctrl-E: open the default text editor on your system<p>- paste your snipet here and review it<p>- save the snipet in your editor, it is now run.
In zsh I can paste (or paste) into the browser (FF) I get<p>ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP'
ls -lat<p>Which seems like it would be pretty stupid for me to press enter. Which if we're talking security it seems to more sane thing to do is not automatically send commands that are pasted in. Zsh being secure and bash not. I feel this is more a developer issue than user.
this should be explited by stack overflow to have a counter on which lines were copied and how many times. With this counter one could know what's the best answer used by many :)
I already paste everything longer than a single line to my non-terminal text editor (e.g. sublime) before I paste it to my terminal or vim. Perhaps I should start doing this for everything.
This is a valid danger but the author goes a bit far with the sudo warning. Unless you're logged in as root to most systems (in which case sudo likely won't be needed to screw your system up) using sudo would result in a password being requested which, I would hope, the user would see as a red flag, especially if they are technical enough to be locating and testing script snippets.
Found another one here: <a href="http://thejh.net/misc/website-terminal-copy-paste" rel="nofollow">http://thejh.net/misc/website-terminal-copy-paste</a>
The "fix" to this problem is not to let your browser hook Ctrl+C. Mozilla, if you're listening, could you perhaps make this an option? Or perhaps display a notice if you notice JS hook on Ctrl+C?