JavaScript PasteJacking

Modern browsers can use JavaScript to read and write to the user's clipboard, i.e. they can manipulate it. The underlying technology is already old hat, but it is only recently that more and more attacks (under the name "PasteJacking") have been circulating on the net, which take advantage of this possibility to the disadvantage of the inexperienced user. An implementation in JavaScript is banal.


On the malicious page only the following script is included:

27670b8ba9840e688369822a3fcfb2d9

If you copy any text from such a page, the unwanted string always ends up in the clipboard (in this implementation regardless of the copied text). Instead of "evil command" you can now come up with a lot of ugly things. The whole thing becomes fatal if a line break at the end of the line is used to immediately execute the code:

27670b8ba9840e688369822a3fcfb2d9

It is also easy to reset the console output so that the user does not immediately notice what he has entered. For example, it is conceivable that when copying a harmless code snippet, one can shoot one's partitions in passing.

27670b8ba9840e688369822a3fcfb2d9

The clipboard can be manipulated (in a different form) even without JavaScript:

27670b8ba9840e688369822a3fcfb2d9

If you select the desired text, for example in the latest Firefox (v. 45.0) it is not this text but the text behind it that ends up in the clipboard.

Both methods can be tried out live here. Here the JS variant:

See the Pen Pastejacking #1 by David Vielhuber (@vielhuber) on CodePen.

As well as the CSS variant:

See the Pen Pastejacking #2 by David Vielhuber (@vielhuber) on CodePen.

Back