There are many news sites that make it extremely hard to share their content on sites like HN or reddit because of these tricks. I wonder if they are actually losing traffic from it, or if their tactics work? I'm referring when you copy the text in the title of an article to try to paste it into the Title box on HN or reddit. But what you 'paste' is actually a huge paragraph about how great the news website is and how you should download their apps and read more on their website. At that point, I can't be bothered to clean it up and I refuse to type out some text that I should have been able to copy.
Does it really work? Do sites actually get more traffic by hijacking your keyboard's basic functions to insert advertisements? I guess it probably does. :(
I had to implement this kinda code when I worked for Demand Media and it certainly worked. Whats funny is you don't need any fancy new apis to make it work. We were doing some pretty basic tactics actually. Only real way to prevent it is disable javascript.
Demand Media makes money by monitoring ad networks and then paying people to churn out worthless content that pollutes search results. They watch metrics very carefully.
I'm sure that those involved have very interesting rationalizations, but I don't think that it should be viewed from an ethics perspective. Expecting people to behave against their own self interest in the short term, for the good of strangers in the long term, will always end in disappointment. This is actually a pretty simple case of poorly stated objectives being cleverly met by people who are completely self interested. LOC metrics, rat tail bounties, click-through rates. I know this sounds kind of "well what did you expect wearing something like that", but if advertisers establish metrics that are more closely aligned with their objectives then we'd all be better off.
But yeah, Demand Media is terrible and their employees are not on my Christmas card list.
> I know this sounds kind of "well what did you expect wearing something like that"
Which is a perfectly rational question/argument.
> Expecting people to behave against their own self interest in the short term, for the good of strangers in the long term, will always end in disappointment.
I agree. This is a systemic problem, and appeals to ethics won't work (and the advertisers won't change their metrics because of them) - one needs to attack the economic incentives underlying their current strategies.
> (and the advertisers won't change their metrics because of them)
uh. That isn't what I was doing - one party's act in self interest can benefit third parties (even if accidentally)... like electing to not set yourself on fire in a crowded Museum of Yarn and Flammables.
> ...attack the economic incentives underlying their current strategies.
That has been going on since the first ad click payment. I'm guessing that the ideal solution is one that would require a scale of economy that is outside the capabilities of the majority of the market participants, and that is why we still have catch the monkey ads.
How is that rational at all? That question is referencing the common practice of blaming rape victims rather than the rapists, by questioning what the victim was wearing.
It is a perfectly rational question. You're layering a bunch of unnecessary stuff about blame on top of it. Rape is always the fault of the rapist. Full stop. Now, given that there probably always will be rapists in the world, can we be allowed to ask questions that help prevent rape?
No, because rapists are given cover and can more easily rationalize their behavior when society implies that rape is a natural or expected consequence of the failure to take precautions against it.
Rape is a natural or expected consequence of the failure to take precautions against it.
It doesn't matter what society implies.
Note that I can say that while unequivocally condemning rape and providing zero cover to rapists. I am describing what is, not what I think ought to be.
>> Rape is a natural or expected consequence of the failure to take precautions against it.
I don't understand - how is that not victim blaming, and going against your last line? And how exactly do you take precautions against rape, especially when you factor in the fact that the perpetrators are far more likely to be people who wield some kind of authority over the victim, including family members, bosses at work, police and security forces, etc. which is true at least where I come from (West Africa), and leads to chronic under reporting / decisions by families to either blame the victim or sweep the whole thing under the rug. Or am I somehow misunderstanding your meaning?
Kind of odd to even bring ethics up when discussing how websites make money. It doesn't matter at all. Ethics is normally used to discuss other people getting harmed by actions, but when all that harm can be removed simply by closing the browser and doing something else it's barely worth talking about. Is it ethical for a shop to advertise its products in the shop windows when the people running the shop know that there are higher quality products available in a competitors store? Who gives a shit?
I do. That's probably why I won't be running an effective business any time soon. Being nice and not fucking people over doesn't get you far in highly competitive markets.
I strongly second what 'nitrogen wrote[0]. This is very much about ethics.
> Is it ethical for a shop to advertise its products in the shop windows when the people running the shop know that there are higher quality products available in a competitors store?
In my opinion, no. Basically, if you know your product is shit, you are morally obliged to make it better or find something else to sell; lying to people to make them buy your stuff instead of something objectively better is fucking them over for your own gain.
Think about it the next time you find yourself on the receiving end of such businessmen.
That argument would lead you to the conclusion that if your peers are objectively better than you, then it's immoral for you to seek employment; you must improve yourself or choose a different industry. So do you think you are among the world's best in your area of expertise, or are you voluntarily unemployed? ;)
That said, most of my peers who are objectively better than me are already employed, and it's up to employers to select from the available pool of employees. My responsibility is to truthfully present my skills during interview.
If it is on the employer to make a value judgement on your skills, then isn't it also up to the window shopper to make a value judgement on the merchandise?
Well, yes - but in my original comment I didn't say that if you get half a feature behind your competitor, you should trash your merchandise and go do something else. I complained about people willingly making and selling shit, covering the deficiencies up with marketing.
In hiring analogy, it would be as if I couldn't code at all, but could talk my way through the interviews - and so instead of actually learning to code, I'd earn money by getting employed at companies and trying to extract as many paychecks and benefits as I can and then quitting before they figure out I'm a fraud.
Me investing my time to get a job through pure charisma, without bringing any merit to the table, is like selling products on pure marketing. Pretty dishonest, and also poisons the ecosystem for everyone.
... but a warning sign that an argument is probably too broad, too absolute, too confidently stated, and has ten thousand exceptions that you didn't consider.
> I do. That's probably why I won't be running an effective business any time soon. Being nice and not fucking people over doesn't get you far in highly competitive markets.
> lying to people to make them buy your stuff instead of something objectively better is fucking them over for your own gain
Thanks, this needed to be said. I'm in the same position. I will probably never be able to run a business either because I hold these same views.
Kind of odd to even bring ethics up when discussing how websites make money. It doesn't matter at all.
This is why we can't have nice things. Because people adopt a FYGM attitude. Because they piss in the pool we all have to swim in.
...all that harm can be removed simply by...
...quitting smoking? Throwing away the prescription pain meds? Giving up junk food?
How about not robbing people of their valuable time and money? How about moving past negative-sum business models where the distributed costs far outweigh the concentrated gains?
If I'm actively searching for some information I need, I cannot "simply close the browser and do something else". Search results are polluted with junk and time it takes to find useful information has increased a lot. Finding in-depth information is getting harder and harder because of flood of low quality pages that only hit the keywords and skim the topic on the surface.
Very sad welcome because somehow working in advertisement industry is considered a respectable occupation in 2016. The cognitive dissonance of the society is sometimes mind-boggling.
"You know, you smell, and look ugly, and certainly are wearing yesteryears fashions. Buy our shit and you can be almost a human again!"
(hey it works in the advertising industry. I attack your humanity on multiple levels and then show you garbage that... kind of, almost, but not really restores your humanity. Of course, you really need next months update, or you're just subhuman again! )
Which is a show about how cool it is to be an asshole and ruin your own and other people's lives by making extremely selfish decisions. This is also why I won't watch House of Cards.
HoC makes it seem down right cool to screw everyone you know over to attemt to dig yourself out of the massive hole you've dug yourself in to. The sad thing is that much of the American public watching this garbage believes the underlying premise, "do unto others before they do unto you."
Sure, if you've got a concept of morality based on primarily being motivated to help others rather than pursuing self interest. If that's the case though then the vast majority of people would fall under the category and make it a pretty meaningless description.
> if you've got a concept of morality based on primarily being motivated to help others
Ethically, self-interest is fine. Failing to help others isn't a huge deal either. It's the part where you're actively and deliberately harming others (by polluting search results - impairing both search engines, as a company, and their users) that we're objecting to.
I think the idea of "polluting search results" requires too much of a subjective concept of what good content is to say whether producing one kind or not is unethical. They aren't producing what they are because people aren't looking at it and I'm very sceptical of any notion that people don't generally do what they want. It has a very centrally planned feel to say "people want think pieces" or "people want to read about X" when reality shows that people want easily consumed clickbait and listicles.
What you wrote is a very twisted rationalization of screwing people on purpose. Sure, if you create several things and watch which ones people like more, you can say that those people do what they want. But when you start purposefully designing tricks to e.g. advertise you have information, and then sell them ads and bullshit, you're doing active harm to people. It's not subjective at all.
I assure you I don't need to rationalise. I'm under no delusion that I'm a terrific person and do the assorted immoral things I do with full understanding and acceptance.
Demand Media has strong brands. They aren't anonymous/fly by night operators. If they were promising content and not delivering with any sort of regularity they'd lose viewers. They're not doing that though. The content when you click on an ehow or livestrong article is exactly what you'd expect from an ehow or livestrong article. That you find this content undesirable is very much subjective. Plenty of people seem to enjoy it.
People generally do what they want to do, but they base their decisions on incomplete information on what they are going to get. Lots of crap wouldn't get its clicks if it didn't appear to be something it isn't.
Their crap is what it appears to be though. If they weren't delivering on their clickbaity titles then people would soon learn. It's not like they're anonymous publishers, sites like ehow and livestrong are strong brands. They're not counting on unaware users.
Humans are social animals and the "self" at least partially includes your community. There's no need to make such a fine distinction when discussing human morality.
I don't personally have any supporting data but the business people were not ones to do things unless it worked. Just look how high in the rankings ehow was able to get before panda hit.
I like most of the ACM code. I think it could use an update with more direct prohibitions on modern forms of user harm, such as trading in private information and manipulating search results to promote low quality sites.
The proof of concept didn't work for me. I highlighted the text, right-clicked and clicked "copy". I thought it was just broken or not hooking the on-copy properly.
Then I realized that the reason I was doing that instead of ctrl-c is all the times that web sites break ctrl-c. I literally have gotten used to highlighting, right-clicking, and clicking copy, for a "clean" copy :) I wasn't even aware I was doing this.
Of course, web sites can hook right-clicks. It would be funny if they threw up a fake context menu matching the default context menu of the browser and operating you're using, but with evil versions of commands :)
I don't disable or modify javascript, so with that addition it would have tricked me.
Right-click hooking could be defeated by inserting a sequence number in the right-click menu and displaying the same sequence number somewhere in the browser window.
I will say that the people who generate event hooks in browsers need to pull their heads out of their asses before this kind of thing becomes necessary.
But then, I've seen sites that break highlighting. Either intentionally, or accidentally, thinking people will share their every highlight on Twitter (I am looking at you, Medium).
I don't have data on this, but it's a significant turnoff for me. Unless I really have to share the quote, I never bother cleaning it. It doesn't bug me to the extent that I won't share it altogether (I'll just type it out or copy from Chrome devtools); yet I'll be more hesitant to share from that website from thereon.
Many pages in the New York Times are impossible to select text in. But I just select the text from the page source. After reading this article, I'm thinking that might be a good idea in general.
In Firefox use CTRL-SHIFT-I or use Firebug to inspect the code on the page after it's generated. I guess many times it's a transparent div covering the text, not javascript tricks like this, but I might be wrong. You can remove the div using Firebug. Selecting the text in Firebug will work, but may be a lot more work. How about printing to PDF, then selecting the text there?
Why do browsers not require explicit user permission before allowing a site to perform clipboard manipulations? In a similar tashion to how the HTML5 geo-location API is opt-in?
I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.
This is because the Firefox preference is useless - it only disables the clipboard events, but not the clipboard access from any other event. So the demo simply hooks the keydown event instead. Have a look at the source, it's really quite straightforward.
What browsers really should have are a standard "Ask & Whitelist" dialog for all of these security critical features[1]. It seems Firefox even used to have this feature, but it and the corresponding addon have long since crumbled to dust[2].
Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.
[1] There's many more, including utterly ridiculous stuff such as telling websites the battery charge status of your device (and if your charger is plugged in): https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
They had a pretty useful per-site configuration mechanism that wasn't UI-configurable so someone started to make a UI for it, but then some higher-up decided they should remove the whole thing completely! The screenshots they have there look so awesome:
> Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.
FWIW, the features that this uses have their origins in proprietary IE5 features (maybe 5.5?). Whether this attack works in IE5 I leave as an exercise to someone else.
Note that the tradeoffs are more complex than what one might naïvely assume: people weren't using the feature as it existed in Firefox before because it required explicit user interaction, but doing the same thing through Flash didn't… so everyone just used Flash. In effect, this is a security bug the platform has long had (because, like it or not, de-facto the web platform for the longest time included Flash). Now, should we blindly copy everything Flash can do? Of course not. But if something is making people hold on to Flash, we really should consider the tradeoffs. Are we just gaining theoretical superiority but practical irrelevance (on desktop at least; mobile where Flash is gone is a different story)?
> I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.
Oncopy is a named javascript event type that triggers when you copy the text of an element.
This method is more sophisticated; it monitors the whole page for copy commands, and has an event listener watching to see when this 'copy' command is executed.
Did you use the keyboard or the mouse? Because when I copy using keys, my clipboard is empty. Only right-clicking gives me "not evil". The eventListener is on keydown FYI
On a somewhat related note: why do browsers allow websites to prevent you from leaving via those annoying dialog boxes that ask you to click "cancel" or "leave"?
To be able to remind you about your unsaved changes before you leave the page. I personally find the benefits of websites doing that to be greater than the annoyment from websites abusing this functionality. (just an extra click when its being abused, but potentially saving hours of my time when used properly)
I have seen sites that have pages where you're placed in a queue (for whatever reason) and if you leave the page you will be dropped from the queue, so it's nice to have something preventing you from accidentally leaving, but that's the only legitimate use I can think of.
I used to work for a company whose primary product was a web server that companies could buy and run for use purely internally. Our pages involved a lot of data entry that could be lost, so that sort of pop-up can be handy in that situation as well.
Of course a better solution wouldve been a program which doesnt so easily let you lose data in the first place, but this software was long past that.
It's really not that bad. The big problem was historically the buttons were labeled "Cancel" or "Ok", and some browsers allowed pages to customize the button labels, making which you clicked very ambiguous. Browsers today just giving "Stay on this page" and "Leave this page" buttons aren't really much of a bother if you remember how bad it used to be.
Websites can find better solutions if we kill this annoying feature. We have local storage in all browsers. Rather than prompting why not save it and recover when the user comes back. The users will always prefer this. It saves data even when the website crashes or the connectivity is lost and there is some important data on the page. Why have a feature that is abused more often than used especially there is no case where it is the only/best solution.
I agree. This thought process comes from a different era and has just continued to perpetuate itself. If you are working on insanely* large files then that box makes sense, otherwise we have the technology to save the user the headache.
*insanely large is anything that takes up 75% of whatever computer bottlenecks first at the time of reading this comment(Memory, processor)
Funnily enough that API is already highly restricted: You can only show that single dialog box, you cannot modify the actions of the cancel and leave buttons and you cannot perform any asynchronous operations within the callback. (Technically you can, but the browser won't wait for them to finish)
All this was introduced to prevent abuse. Apparently it still wasn't enough though...
It's important to point out that the "yes, actually leave" option is not overridable. As a developer, you only get to set what message is displayed. The browser handles the rest, and it's basically "stop redirecting or continue". The developer only has control in the "stop redirecting" case.
What absolutely annoys me about this feature is that there are shitty ads which throw this dialog in a loop, making it virtually impossible to close them.
Chromium on Linux. Maybe they play some tricks with refreshing or redirecting to make the browser show this dialog again on the next attempt to close the tab, if the browser wouldn't normally do that. Unfortunately, I didn't investigate and don't have links.
I see it on Firefox. Now that you mention it, it seems to happen less often lately. Maybe I am looking less at shady sites or they have changed something.
It's intended use is for data entry, it's meant to be a prompt for "Hey there's unsaved changes on your 'Super Important Document' are you sure you want to to leave?"
This is fair. For me, this is a case where it is likely as narrowly annoying as helpful, and thus a no-win situation. Some sites I use are respnsible allowing you to copy an ip address on click, or a cryptocurrency wallet address on click, removing any extra whitespace and confirming a full address copy. This is quite important as perfectly copied addresses (which are basically massive strings of random text) ensure your money arrives properly, or is dispatched to the correct location.
However, sometimes I want to share a qoute I found online. I don't want a promo for the website inserted into my clipboard. For them, it must be a fine line that realization: user-hostility can be short term profitable but long term fatal.
For the record you don't actually need to depend on new APIs like "document.execCommand('copy')", simply shifting focus to an off-screen textbox area when ctrl is down will do the trick in 95% of the cases, with full cross browser compatibility.
So I copy a command off a dodgy website, hit paste in my terminal, and a command drops which runs a shell script that downloads a rootkit, logs me out and clears the screen leaving me thinking that some weird glitch has happened but all it OK - is that the sort of scenario we are talking?
Although what you propose sound plausible, the only instance of this I've seen is when adding copyright notices when you save the link to am image, or when they add this warning about not stealing the work and adding proper citation.
The problem I see with this scenario is that not everyone is copy-pasting from the browser into a terminal. I for example copy things to my VM's text editor first, then run the command. Other could be copy-pasting to an email for example. In those instances it would be obvious that the site is doing something not so kosher and it would be notices pretty soon I guess, depending on the site's popularit
The big warning message I get at the top of that page is funny (emphasis and commentary mine):
"Please enable Javascript
This site requires Javascript be enabled to provide you the best experience [for us]. Some features [like shoving crap into your clipboard] may not be available with Javascript disabled!"
It's not uncommon to find sites whose definition of "good UX" is exactly the opposite of what I want.
Interesting; drag-and-drop bypasses that (allowing the selected text, and only the selected text, to be grabbed) but Copy using either keyboard or mouse is hijacked.
You don't see a https:// on the page, but it gets put on your clipboard because it is actually there with 0 font size. In this case it's actually pointless though because they cut off the end of the url.
The problem being that with this particular vulnerability, you do get the correct text in your clipboard initially, it's just overridden less than a second later.
Combined with XSS, it may not even have to be a dodgy website. A fair number of projects encourage people to copy and paste scripts into their shell in order to install these days.
This is why I always copy a command into TextEdit (or Notepad on Windows) first, and then re-copy the clean text before pasting into my terminal.
While we are on the topic of copying and pasting. If the command downloads a script, make sure you download the script out-of-step via curl first, review its contents, and only then execute it. This avoids sites maliciously changing the script based on the User Agent.
Note that clever timing could get the "evil text" in your clipboard between checking in a text editor and pasting into the terminal. Hard to time correctly, but not impossible.
At first I thought "I don't do this; it's never seemed necessary", but actually, I think I do. Years of copying to a plain text editor to strip formatting have conditioned the behavior.
Yeah, I started to copy through a text box (usually the Windows Run (Win+R) box, which isn't exactly safe now that I think of it...) to strip formatting some time ago. It's pretty much necessary whenever you want to paste anything into GMail web interface. The web is getting more ridiculous every day...
TextEdit is RTF by default - I wonder if you can include control characters to screw with that? I use Sublime/Atom since those are plaintext by default.
That still relies on the second `curl` fetching the same instructions as the first (an invariant that a really nasty web server wouldn't have to obey). Wouldn't it be better to use a `tee` to make sure that what you read with `less` is exactly what's executed?
I use Quicksilver, and generally paste what I've copied there first. Also lets me strip the formatting, like pasting with Shift + Option + Command + V.
Since operating systems can “quarantine” downloaded files, it seems perfectly reasonable to also quarantine data that can be arbitrarily modified by remote APIs. This is doubly true when there are all kinds of ways for web sites to trick the user into visiting domains they don’t really know that they “requested”.
On the Mac, applications downloaded from the Internet are quarantined; they stay that way until you accept a warning message displayed at first launch (even if you wait days to launch it for the first time). The OS helpfully remembers where the file came from, e.g. “This was downloaded from www.notmalware.com on July 6, 2000.”.
If a web browser insists on allowing web-controlled Copy behavior, the resulting pasteboard should be given a big, black TAINTED mark that cannot be cleared without a very explicit action. If I go to another application and try to Paste, the other application should not be able to access the data without clearing the quarantine (e.g. OS provides standard dialog that shows the entire text and web site of origin, free of any white text-coloring or Unicode invisibility tricks).
I'd like to point out to everyone that isn't aware of it, this can be (sort of) done even without Javascript. Extra text can be hidden with CSS that is easily copied when highlighting other benign text, so be careful even when using Noscript.
I can't reproduce this in chrome or safari. I have ublock enabled, but a cmd + c gives me the bell in iterm(fail) and if I click edit copy from the drop down, the shell echos
"not evil"
without a line break as expected. Chrome and Safari.
edit: doesn't seem to have unexpected behavior in terminal either. Am I missing something, or does uBlock default deny the scripts that can do this?
edit 2: console log: Copying text command was unsuccessful. uBlock disabled.
How is that better than purely HTML/CSS attack (or even telling a person to use `curl blahblah | sh` command)?
This particular attack doesn't work when not using keyboard to copy (think select to copy (traditional X behavior) or using a context menu), it causes text to unselect after busy loop ends, causes fans in my laptop to start working (because of busy new Date loop), causes cursor to cease changing for a certain period of time, requires me to enable JavaScript, requires support for "copy" command (which isn't universal), and requires the user to press CTRL+C either way (otherwise the webpage won't be able to copy into a clipboard).
I guess you could paste an output after a certain time, but because of hijacking on Ctrl key, nothing can be copied before busy loop ends, and as a result, it doesn't prevent "pasting the command into Notepad" just to ensure it's safe - as either what previously was in pastebin or malicious command will be pasted.
https://xfix.github.io/mystery-zone/command.html (disclaimer: I made this page) doesn't have any of those problems (other than requiring the user to copy text in any way (CTRL+C, text selection, context menu, whatever odd interface do you have)), and it still can break vim (and for that matter, bash, zsh (including zsh with paste protection), fish, and emacs).
I remember adding an entire feature to my terminal to check for multi-line Paste because it was frustrating to execute something by accident. It never occurred to me that we would reach the point where the Copy itself could not even be trusted.
It is time to rein in all the things that web browsers are complicit in doing at the request of random web sites. There needs to be a lot more thought put into these “APIs” that sites have access to, and a lot more scrutiny of the data.
Are there any plugins that detect your clipboard is being manipulated and block the offending script from touching it, or perhaps prompt you? I'm thinking something like uMatrix for that class of JS. I can imagine that being a useful thing, if one doesn't already exist, both from the security standpoint and from the "don't add miscellaneous share crap" standpoint.
The author noted that iTerm on MacOS notifies when a paste that's about to happen contains a newline. Cmder on Windows does this as well, it's a nice feature even outside of the security concerns.
This was disabled by default in (classic) Opera (since it was a weird microsoft addition). Was surprised how many sites do this when I switched browsers.
At the same time, it's better than those times when you had flash buttons to copy link. So I think it should be allowed to change clipboard on user's action (can it be detected?). But there certainly shouldn't be an event to change clipboard that is fired after the user copies something (selection copy, keyboard shortcut, browser ui, ..).
> Note the newline character gets appended to the end of the line.
As others have already pointed out, an API for interacting with the clipboard is a terrible idea that should be removed from the browser.
However, this particular problem of pasting multi-line strings into the terminal is already a solved problem if you use rxvt-unicode. The standard package includes the perl plugin "confirm-paste"[1][2]. Enable it in ~/.Xresources
URxvt.perl-ext-common: default,confirm-paste
confirm-paste passes single line pastes normally, but asks for a y/n confirmation before sending a multi-line paste to the shell.
then web site developers thought it's a crucial feature. even github used a flash element to allow easy copy of repo url. as if anyone using git can't copy. then some moron added that to the browser, and every other moron followed.
The solution is definitely to avoid pasting commands with newlines in them into your terminal. With Vim, you can use the + register to paste (e.g. "+p). Using iTerm on OS X, I've added a custom keymap for Cmd+V, bound to Run coprocess:
zsh actually detects pastes into the terminal and doesn't submit the commands on newlines. This way you see the full command and have to hit enter yourself to run it.
It isn't perfect because people could try to obscure the command but in general it makes me a lot happier to paste commands into my terminal.
This. I'd argue that the issue here is more with terminals and shells than web browsers: paste shouldn't immediately start executing something. The technology to not do so has been around for years - it's called bracketed paste: https://cirw.in/blog/bracketed-paste
I must be doing something wrong, because I copy and paste multiple lines all the time into zsh (ohmyzsh on iTerm) and it will execute all but the last line (which generally doesn't have a new line on it)
"Note that if I can get you to "su and say" something just by asking, you have
a very serious security problem on your system and you should look into it."
The full reach of this issue might not be limited to just text. It might be possible to mess with scripts in programs like Word by abusing rich text, macros and styles:
> It should also be noted, for some time similar attacks have been possible via html/css [1]
As it happens, this particular attack doesn't work in gngr [0]. The example uses an absolute positioned div to put extra text out of viewport, which is not picked up by gngr when selecting text.
gngr also doesn't enable Javascript by default, so attacks such as that described in OP are not possible from random site visits. (I recommend uBlock / uMatrix for other browsers).
However, the attack surface is really quite large here. CSS directives such as `opacity: 0.001` could be easily used to mask extra text.
[0]: https://gngr.info/
and https://github.com/UprootLabs/gngr
[1]: https://thejh.net/misc/website-terminal-copy-paste
Then I remembered I had no script enabled, and then I remembered I don't trust JS and browsers by default, they are like OS in my OS that are way complex to be audited and they have access to way too much sensitive things (files, display, keyboard, network).
Weirdly enough, I don't think noScript is the solution (it is heavy, unpractical and I dare not look the code).
I am pretty awry of the evolution of the DOM + JS interaction and the new features brought in browsers that looks like both a cancer and instabilities to come.
Edit: I visited the "about:config" page, searched for "dom.event.clipboardevents.enabled", then I have set it to false, but that wasn't nearly enough. The linked PoC still works :-(
This is not the first time this has come up. In fact I wrote an article a while back on how to use this for something legitimate [1] (including mobile support).
It is far easier to execute on the desktop (by watching for the control key press, then creating a hidden div that contains the text to be copied + malicious code if necessary).
Quite nicely iTerm2 will catch when you attempt to paste new line characters and warn you about it. Mostly it's useful when I've accidentally copied an extra line, but protecting against malicious abuse is a useful plus.
Same here. Safari + iTerm nightly. Cmd+C/Cmd+V on other text works but for the demo the author provides, I get no content. The previous clipboard content isn't overwritten on copying "no evil".
If you use a clipboard manager (I use the one built into LaunchBar) you can preview the contents of the clipboard without having to paste into a text editor. It takes seconds and is a good habit to develop.
It's not something that vim explicitly allows, it's a side-effect of running the editor in a terminal. When you paste into a terminal, it's as if the keys are actually being pressed, rather than just text inserted.
The proper way of pasting into vim, which doesn't have this problem, is "+p (as mentioned in the article).
This is one of the innumerable reasons why copying and pasting commands on the fly is wrong.
This also includes the awful popular installation commands in the form of "curl -s ... | sh" - which means you are basically giving your computer in the hands of a third party.
I think an actionable takeaway is: even if the curl/wget/whatever points to a trusted https:// domain, the page you're copying from also needs to be on a trusted https:// domain.
You trust the upstream to provide you with a safe program, but not a safe installer? That makes zero sense, and your link doesn't provide any evidence to the contrary
Yes, you are correct if the application and script are on the same domain. The link is simply an example of a major 'trusted' domain being compromised.
If the program you want to install is included in your distribution's packages then this whole discussion is moot. We are talking about ways of installing from third-party sources.
Does it really work? Do sites actually get more traffic by hijacking your keyboard's basic functions to insert advertisements? I guess it probably does. :(