Copy and Paste – The insecurities of

copypasteCopy and Paste, the two commands that makes everyone’s life much easier, however thanks to technology advancements on the Internet, this simple two-step process may not be as safe as you once thought, especially for technology users.

When browsing on the Internet, there are a number of technology websites which are available that allow technical users to copy and paste code examples to make their lives easier, however if not sanity checked, there may be more to the pasted text than the user thought.

What is PasteJacking?

This manipulation of data is called PasteJacking, web browsers allow developers of websites to automatically add content to a user’s clipboard when following certain conditions.

PasteJacking with CSS

CSS (Cascading Style Sheets) is one of the main technologies that runs on all current websites, across all devices, primarily used to define the appearance of the site, it can however be used for other uses such as PasteJacking.

Hacker Jann Horn has a demo that shows just this technique which works on a Linux/OS X machine which is shown on his website This example shows some code to clone a Git repository.

git clone git://

However, what actually happens when you copy and then paste the code above is something very much different.  When pasted, the code still clones a git source repository, however before this is executed a personalised warning message along with the first line of your password file.  As you can imagine this is not what you want to happen.

git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwdgit clone git://

PasteJacking with JavaScript

JavaScript is a programming language which is primarily used with websites, it allows the developer to embed the JavaScript code into the HTML of websites.  If permitted JavaScript can push notifications and information (such as GeoLocation for quicker browsing).  However, what can also be performed, without your express permission, is the storage of data in your browsers cache, manipulate the web page (for formatting purposes), log your key strokes and mouse actions etc.

More importantly for this article, there is a JavaScript function which is called: execCommand(‘copy’) which allows you to copy information to your computers clipboard.  This can work the same as the CSS example described above.

You copy some text from a website that looks harmless, however when executed it pastes the text that you wanted as well as something additional. Because you are using JavaScript the impact to perform more harmful actions escalates through the roof due to a higher feature set and more access to the operating system functions – such as keyboard/mouse tracking.


There’s no getting around the fact that using copy and paste from web articles is a very handy feature and everyone does it on a daily basis more than likely.  When it comes to the more technical people, lick programmers, hackers, administrators and geeky people the Internet is a honey pot for all things useful.  Code examples are everywhere, popular websites such as StackOverflow are there is example code snippets just waiting to be picked.

However, thanks to the evolution of the Internet and the inclusion of CSS and JavaScript you are unaware of what you are copying to your clipboard until you actually paste it into the destination.

Image copying an example from the internet straight into a Linux terminal window that looks correct, but there is a malicious command which has been appended to the end of the clipboard, this command runs all the command that you expected, but then also proceeds to wipe your whole hard drive.  Image what that would be like if you were running it on a production environment.

If you are copying and pasting things from the Internet, it’s advisable to copy and paste the code of choice into a text editor, such as notepad and check to make sure there is nothing else appended to the code block. Then once it’s been sanity checked, you can then copy and paste the new code and paste into the destination.

Hope you enjoyed this blog article.

Previous Post
Security Awareness Training, is it worth it?
Next Post
Webcams, should you be paranoid?

Related Posts

No results found.

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

7 − six =

This site uses Akismet to reduce spam. Learn how your comment data is processed.