The internet is full of free resources and there are plenty of websites out there offering sample codes like Stack Overflow that programmers and developers can use to perform various tasks for computer programming. But a web consultant has pointed out that this common practice could be a security risk. Here are the details.
Paste on computer image from Shutterstock
Earlier this month a developer for Nissan’s car mobile app was busted for copying code straight from Stack Overflow. The fact that the developer didn’t do their due diligence in removing references to Stack Overflow in an official app from just didn’t seem very professional, which was why it garnered attention. The incident did also highlight just how common copying and pasting code is.
Borrowing on existing code that has been made public is not necessarily a bad thing. It could give programmers, developers and IT admins a quick solution to problems they are facing with their own code.
But a new kind of attack called Pastejacking is making this practice more dangerous. Using a function called execCommand('copy')
, cybercriminals can change the content of what you copy from a webpage when you paste it in a terminal window. An innocent piece of text can be replaced by malicious code on a user’s clipboard. This was demonstrated by hacker Dylan Ayrey on Github using the Javascript programming language.
He also noted that this method can be combined with a phishing attack to lure users into running seemingly innocuous commands, potentially allowing for remote code execution if the malicious code is pasted into the terminal.
According to independent web consultant Mark Stockley on Sopho’s Naked Security blog, pastejacking can be done with Javascript and CSS:
“Unfortunately, thanks to CSS, you don’t necessarily know what you’re copying and, thanks to Javascript, you don’t necessarily know what’s in your clipboard.
“There are terminals that will warn you if you’re pasting something that ends in a newline character, and there are browsers, say Lynx or Mosaic, that can insulate you from the modernity of CSS and Javascript.”
Stockley said the best defence against pastejacking is to exercise caution when copying content off websites. Verify that the code is harmless first by pasting it into a text editor first and look over it before putting it into the terminal.
[Via Naked Security by Sophos]
Comments
3 responses to “Be Careful When You Copy And Paste Code From The Internet”
Could also be titled: “Be Careful When You {Insert some words here} The Internet’
I feel that if you don’t read the code you just pasted, you deserve it. If you can’t understand what the code is saying and you still use it, you deserve it… And maybe the next job you go for will be one you’re actually qualified to do…
Its so easy to copy and paste a snippet of code from the internet, but how many programmers actually read through the code and understand what each line is doing?
The matter of the fact is, not many does it! And that’s where the danger lies. Imagine compiling a code that gives reverse shell access to the attacker to your computer?