JavaScript PasteJacking

With the help of JavaScript, modern browsers can read and write to the user's clipboard, i.e. they can also manipulate it. The underlying technology is already old hat, but it is only recently that more and more attacks (under the name of "PasteJacking") have been circulating on the network that take advantage of this possibility for the inexperienced user. An implementation in JavaScript is banal.


Only the following script is integrated on the malicious side:

27670b8ba9840e688369822a3fcfb2d9

If you copy any text from such a page, the unwanted string always ends up in the clipboard (in this implementation regardless of the copied text). Instead of "evil command" you can now come up with a lot of ugly things. The whole thing becomes fatal if a line break at the end of the line is used to execute the code immediately:

27670b8ba9840e688369822a3fcfb2d9

It is also easy to reset the console output so that the user does not immediately notice what he has entered. For example, it is conceivable that when copying a harmless code snippet, you can shoot your partitions in passing.

27670b8ba9840e688369822a3fcfb2d9

The clipboard can be manipulated (in a different form) even without JavaScript:

27670b8ba9840e688369822a3fcfb2d9

If you select the desired text, in the latest Firefox (v. 45.0), for example, it is not this text but the text behind it that ends up in the clipboard.

Both methods can be tried out live here. Here the JS variant:

See the Pen Pastejacking #1 by David Vielhuber (@vielhuber) on CodePen.

As well as the CSS variant:

See the Pen Pastejacking #2 by David Vielhuber (@vielhuber) on CodePen.

Back