Don't copy-paste commands from webpages — you can get hacked

Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised.

A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages.
Last edited on
Meanwhile, most software projects today:

To install our software just type:
echo "deb [arch=amd64] stable main" | sudo tee /etc/apt/sources.list.d/our-software.list
sudo apt-get update
sudo apt-get install our-software

Last edited on
YEP. Chrome actually has a 'paste as plain-text' feature which should also show you any nasty inserts unless I am mistaken? I always prefer to use that feature anyway for safety
Last edited on
I've never downloaded through the terminal if I can help it. And I just realized that my method for downloading software that has even a remote chance of containing EVIL THINGS is, well, maybe a tad paranoid.

So, first I download the software onto a NAS. Then, I put it on a thumb drive and put that in what I call my "black" computer. It's basically a computer that has no access to any internet, or my other computers.

Next, I download and open the software on the black computer. If it runs fine, meaning no glitches or weird shenanigans, then I'll take the thumb drive and upload the software to my regular computer.

Is this weird? I just realized for the first time in about 12 years that it might be indicative that maybe I've watched Enemy of the State 8 too many times...
Last edited on
I've always routinely pasted any command I've copied into Notepad first, then highlighted and copied the command again from Notepad before pasting the command anywhere else.

That simple extra step ensures the exploit can't be used on any command I ever copy from a webpage, regardless of any hidden scripts that could exist.

I find it simple because when I press Windows + R on my system, Notepad is always the last command I've run there. So the entire process takes two or three seconds at most with the following keyboard shortcuts...

Windows+R, Enter (Opens Notepad)
Ctrl-V (Pastes clipboard content into Notepad)
Ctrl-A (Highlight all pasted content)
Ctrl-X (Cut content back into the clipboard)
Alt-F4 (Closes Notepad)

...and I'm ready to safely paste to wherever I like without any form of formatting or hidden script content.

Of course, if I noted anything in Notepad that shouldn't be there after pasting, I would stop at that point and suss out what's going on.

Been doing that as a matter of routine for years now so it's become second nature for me.
FWIW, this attack can be trivially prevented in two ways:

1. Major shells (e.g. zsh, fish, bash via an option) support bracketed paste, which allows a compatible terminal to signal the beginning and end of pasted text via escape sequences. This lets you paste stuff into your shell and trust that it will wait for you to hit Enter before executing it.

2. Blocking Javascript from manipulating the clipboard. This is worth doing anyway, IMO. Websites often abuse this functionality to add "read more at" suffixes or the like, which is an extremely frustrating dark pattern.

Anytime I've done any console work that have been using commands I've run across on the 'net I've always manually typed the command(s). Doing that gets my brain engaged in whatever system/admin stuff I'm trying to do.

Easy to deal with a mistyped command so I know my fat fingers were at fault. Frustrating, but not as bad as a command that basically says "blow up your OS, sucker!"
Slight aside - was Notepad originally written by one of the programmers who joined Cutler at Microsoft from DEC? V A X rules!
OK - a Xerox man rather than a DEC man.
The origins from Xerox PARC for modern PC operating systems is.....spooky.
Yeah - have you read some of the books on the history of Microsoft and the development of MS-DOS, Windows, Windows NT, OS/2? They're fascinating (to me anyhow).
The history of the IBM PC, with the originally planned O/S2 operating system. The OS that MS had a hand in creating and sabotaging so MS-DOS became the marketing department's "gotta ship this" alternative. The OS that MS only licensed because the marketing department believed it was a better deal for customers so every IBM PC price a good chunk of it went to MS.

IBM-PCs became the de-facto PC standard, because of the reputation IBM had for their main-frames.

MS-DOS, which was a blatant theft by MS the original developer couldn't afford to fight.

NT was another "freeze out" the original developer situation.

Nah, never heard of that stuff before.
> FWIW, this attack can be trivially prevented
use w3m, no javascript nor css support

> 2. Blocking Javascript from manipulating the clipboard. This is worth doing anyway, IMO.
View content without modern web bloat
somewhere along the way, the internet broke
funny that this link is broken
Last edited on
Topic archived. No new replies allowed.