Tricking users to run malicious code through the terminal

Visit the following website and try out the instructions.

http://thejh.net/misc/website-terminal-copy-paste

I was genuinely surprised and scared for a second. One can argue that this is not really a problem with terminals, but with HTML/CSS.

I don't usually copy and paste from the browser into the terminal. With longer commands I do, but only after checking the code for malicious content. After discovering this I am not sure if I can ever assume any code to be safe.

Thankfully, a user going by the username moonboots, shared the following on Hacker News:

Bash and Zsh provide shortcuts to open a text editor where commands can be pasted and edited before running (Ctrl-x Ctrl-e in bash, need to enable in zsh).

Sample .zshrc to map edit-command-line to Ctrl-x e:

autoload edit-command-line
zle -N edit-command-line
bindkey '^Xe' edit-command-line

So please use the aforementioned solutions for your respective shells before copy-pasting something from the web, or manually open a text editor and paste into it first.

Also remember that it's always better to just type out the commands instead of copy-pasting, though for long pieces of text it can vary from being annoying to unfeasible.

Comments

Comments powered by Disqus