Be Careful When You Copy And Paste Code From The Internet

The internet is full of free resources and there are plenty of websites out there offering sample codes like Stack Overflow that programmers and developers can use to perform various tasks for computer programming. But a web consultant has pointed out that this common practice could be a security risk. Here are the details.

Paste on computer image from Shutterstock

Earlier this month a developer for Nissan’s car mobile app was busted for copying code straight from Stack Overflow. The fact that the developer didn’t do their due diligence in removing references to Stack Overflow in an official app from just didn’t seem very professional, which was why it garnered attention. The incident did also highlight just how common copying and pasting code is.

Borrowing on existing code that has been made public is not necessarily a bad thing. It could give programmers, developers and IT admins a quick solution to problems they are facing with their own code.

But a new kind of attack called Pastejacking is making this practice more dangerous. Using a function called execCommand('copy'), cybercriminals can change the content of what you copy from a webpage when you paste it in a terminal window. An innocent piece of text can be replaced by malicious code on a user’s clipboard. This was demonstrated by hacker Dylan Ayrey on Github using the Javascript programming language.

He also noted that this method can be combined with a phishing attack to lure users into running seemingly innocuous commands, potentially allowing for remote code execution if the malicious code is pasted into the terminal.

According to independent web consultant Mark Stockley on Sopho’s Naked Security blog, pastejacking can be done with Javascript and CSS:

“Unfortunately, thanks to CSS, you don’t necessarily know what you’re copying and, thanks to Javascript, you don’t necessarily know what’s in your clipboard.
“There are terminals that will warn you if you’re pasting something that ends in a newline character, and there are browsers, say Lynx or Mosaic, that can insulate you from the modernity of CSS and Javascript.”

Stockley said the best defence against pastejacking is to exercise caution when copying content off websites. Verify that the code is harmless first by pasting it into a text editor first and look over it before putting it into the terminal.

[Via Naked Security by Sophos]

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


3 responses to “Be Careful When You Copy And Paste Code From The Internet”