Free Trial
Contact Us
Podcast

Root Causes 200: Why Not to Copy and Paste Commands from Web Pages

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
January 19, 2022

This episode describes newly revealed vulnerabilities where copying and pasting text from a web page can open the site visitor up to attack. Our hosts explain how this attack can occur and its potential consequences, along with how to defend yourself against this threat.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanYou noticed this article and sent it over to me, and we’re going to talk about it. This is a January 3, 2022 article. I got it out of BleepingComputer. The headline is “Don’t Copy Paste Commands From Web Pages.” You can get hacked. The gist of it, I’m going to try to do it justice, and you can correct me if I get it wrong, is that a white hat researcher Gabriel Friedlander has published a demo basically illustrating the idea that if I go to a web page and I copy what I think is a line of text, the actual text that I might copy and then paste could be different and could be for instance used in an attack.
Jason SorokoJason SorokoI would say the people who are most vulnerable to this attack, Tim, would be developers. I remember being a developer, all my developer friends, we all do this. We search code snippets, and we find the code snippet, and we copy the code snippet from a website, and then we paste i to presumably sometimes right into a command line, or it could be into our code, and my goodness, be careful.
Tim CallanTim CallanYou copy and paste it because you want to be careful. Because if you have to sit and try to recreate it with your fingers, then there’s an opportunity to make mistakes. If you copy and paste it, then you're getting it character for character, exactly the way it should be.
Jason SorokoJason SorokoIn fact, Tim, for developers, developers know this, but most websites that are dedicated to developers in fact have very, very specific formatting on the website so that a piece of text that’s explaining the code will be in a certain format, a very legible format, and then, typically the code itself will be in some sort of encoded formatting so that it’s easy to copy and paste. That’s very common in the modern era, and the countless amounts of code that I’ve copied and pasted, it amazes me that I haven’t thought of this, but when I saw the article, it prompted me to want to talk about this on this podcast because we got a lot of technical people, a lot of people who do administration of PKI and whatnot. I mean, anything and everything. That’s sometimes not just you as a developer but you as an operational person and IT administrator, etc. It’s quite common to copy and paste from a website.
Jason SorokoJason SorokoWhat’s happening, Tim, is underneath the actual piece of text that you’re copying, there’s some JavaScript which is hiding the actual text that you are copying so that when you then paste basically you think you're copying one command, when in fact you’re pasting another command, and what’s worse is quite often if that bad guy wants you to execute that command immediately, especially into a command line, there’s a character turn at the end. In other words, as soon as you hit paste, it’s essentially an executed command, if you are pasting that directly into a command line.
Tim CallanTim CallanWhich one would guess would be the primary attack scenario here.
Jason SorokoJason SorokoIt definitely would lead to the worst-case scenarios. That’s absolutely right.
Tim CallanTim CallanI mean, when you start to say, well, you see this JavaScript down here that’s hiding this, this is deliberate bad-guy behavior. This is not the kind of thing that could occur on accident. This is an attack.
Jason SorokoJason SorokoAbsolutely. But think about this, Tim, and our company, Sectigo, with a SiteLock product, one thing that we look for is defacements, and malicious code put on your website. Think about this. You might be, you might have a fantastic blog, where you offer up code snippets, and you’re perfectly legit, and you’re very handy, and people like your site. Well, what happens if a bad guy has compromised your site, and as a form of defacement unbeknownst to you, that code which looks perfectly legit on the website, has now had an injected JavaScript underneath it.
Tim CallanTim CallanIn that scenario, the person responsible for the content may not even detect it. I go to a site, I read it, and everything looks exactly like it’s supposed to.
Jason SorokoJason SorokoExactly. And it’s not like there’s some sort of checksum for code snippets. It’s not like for large binaries where we doublecheck against, hey, is every i and t, crossed and dotted, here. Typically, code snippets that are just copied and pasted, I don’t know anybody who does anything more than a cursory look and going, yeah, that looks legit, copy, paste.

I guess the way around this is before you paste into a command line, paste into your favorite text editor of choice and just have a good look at what it is you actually pasted. I think that that’s good hygiene and a best practice now going forward.
Tim CallanTim CallanYou’d think that that would knock out, I mean, the real bad commands. Maybe there’s something subtle like I give you some, I turn your good code into broken code by omitting a character somewhere, but that’s not going to result in an attack. That’s just going to result in a bad compile, so.
Jason SorokoJason SorokoThe example used on the Proof of Concept was clever in that it actually resulted in a remote code execution. In other words, what was really happening here was there was a payload being downloaded from a malicious site, and then executed as a Shell script which is the nightmare scenario. So, it doesn’t have to be just a single line of code, it actually, the command would be downloading an entire Shell script and executing it within your current session. That is the nightmare scenario, and that was shown in the Proof of Concept and so, as soon as I saw that, I have to admit - I mean, I’ve been around security a long time - this is not an attack vector I had thought of, but now that I’ve seen it, I am no longer ever going to copy and paste directly from a website into a command line.
Tim CallanTim CallanAlright. Well, that’s good advice. Gabriel Friedlander, nicely done on getting the word out on this. Jason, nicely done on noticing this and further spreading the word. Listeners, it’s good advice. You should think about that. Thank you, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud