Category Archives: clipboard

Is drag-and-drop safer than using the clipboard when it comes to protecting sensitive data from keyloggers?

Posted on by

I noticed that multiple password-locker applications recommend that you use the drag-and-drop feature to transfer passwords to login forms instead of copying the passwords to the clipboard or having the password locker type the password fo… Continue reading Is drag-and-drop safer than using the clipboard when it comes to protecting sensitive data from keyloggers?

How can I protect myself from this kind of clipboard abuse?

Posted on by

Clipboard abuse from websites

Many websites use JavaScript or CSS to stealthily insert or replace text in the user’s clipboard whenever they copy information from the page. As far as I know this is mostly used for advertising purposes, but PoC for exploits have been demonstrated.

However I discovered that one does not even need JS or CSS to craft an exploit that has malicious effects when pasted in a terminal. Pasting hidden backspace characters can change the whole meaning of a shell command. Pasting in a term-based editor isn’t safe either. Pasting Esc then :! can cause a running Vim instance to execute a shell command. Pasting ^X^C will quit Emacs and/or even cat. Pasting ^Z will stop mostly any term-based editor and return to the shell.

What makes it worse is that many trusted websites do not sanitise these non-printable characters. Twitter filters out Esc but not backspace. Pastebin.com doesn’t appear to filter out anything. Neither does Stack Exchange, hence the following exploit (WARNING: malicious code, DO NOT copy and paste into a Unix terminal!!) that could very well be crafted into something worse and more likely to be pasted by a victim:

echo '.!: keS i3l ldKo -1+9 +2-1' > /tmp/lol
echo ':!. keS i3l ldKo -2+9 +7-1' >> /tmp/lol
echo '.:! keS i3l ldKo -3+9 +4-1' >> /tmp/lol
sleep 1
md5sum /tmp/lol

Edit: Raw backspaces are now filtered by Stack Exchange, so this PoC requires &# escapes. /Edit

Here is how Chrome renders it:

Screenshot from Chrome

Firefox isn’t fooled as easily, but still remains oblivious to the JS or CSS approach:

Screenshot from Firefox

And when pasted into a terminal, it just kills all the user’s processes.

What to do?

What this basically tells me is that I should never, ever, copy anything from a web page and paste it into a terminal application. Well, great. My work environment is basically 1 web browser and 40 terminal windows/tabs. I copy and paste code snippets all the time.

Now, is there anyone who can protect me from my own bad habits (which, honestly, I don’t think are that bad)? Browser vendors? Terminal vendors? Clipboard system vendors? A third-party application maybe?

Continue reading How can I protect myself from this kind of clipboard abuse?