Gabriel Friedlander, founder of the security awareness training platform Wizer, demonstrated an obvious yet surprising hack that warns programmers, sysadmins, security researchers, and technology hobbyists that copying-pasting commands from web pages into a console or terminal could result in a system compromise. It is not uncommon for developers to utilize websites to get commands while coding, and often these commands are just copied and pasted into the environment that is being used to develop. This new proof of concept (PoC) proves that malicious actors are abusing this practice to trick victims into pasting malicious code into their own products. Using JavaScript code hidden behind an HTML page, attackers can manipulate lines of code that are commonly copied and pasted to input an unwanted command. Often, by the time the victim identifies where they went wrong, it is too late, and the unwanted command has already been executed and could create a backdoor into the application that was created.
Analyst Notes
This attack is relatively simple but is also very harmful because it could be hard to identify. Because of attacks like these, it is never advised to copy-paste code directly into an application when it is being developed. The best practice for anyone that is using websites to get commands would be to type the command themselves instead of copying-pasting it into their application or paste the command into a text editor and review it before it is put into an application.
https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked/
