Pastejacking: what if what you paste is not what you copied!

Those little javascript codes in websites that no one ever check can push notifications and get geolocation with your permission; it can also store files in your cache, open windows, log keystrokes, follow your mouse movements andoverride your clipboard without your permission!

Well, the issue here is that you can not be sure of what you have in your clipboard! I can think of 2 case scenarios that this can be a security issue:

  • When a normal user copy the content from websites and paste directly into a vulnerable software (Microsoft Word?!) and the copied contents simply trigger the vulnerability.
  • When an admin copy and paste some command directly from a website (tutorials?!) into their terminal! This is the creepy one cause depends on the privilege of admin (duh!!) it can download and execute scripts; and then to make things looks OK performs a cleanup and probably do what it supposed to do !!

If you are thinking of disabling javascript, CSS (Cascading Style Sheets) can also be used to hide some contents among what you are copying! The problem with CSS is that you can not be sure what you are copying!

The solution is not that difficult though: just be aware of what you paste, where you paste and think twice before you paste!! Perhaps just paste in a notepad first, or just get a clipboard manager!

P/S: You can find a simple demonstration here:

GitHub – dxa4481/Pastejacking: A demo of overriding what’s in a person’s clipboard

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s