Once, you could use HTML/CSS to manipulate the clipboard, but it was not a good way to do so. Now a security bod has worked out how to do it in JavaScript and reckons it's a lot more dangerous.

At first glance, it looks like purely a stunt-attack, except for this: a phishing e-mail purporting to be from tech support could trick a victim into dropping a message into a terminal window and executing it – not realising that what's in the clipboard got changed on the way.

In the simple proof-of-concept of “Pastjacking” here, you think you're copying the command echo “not evil” into the terminal, but what lands in the clipboard is echo “evil”

.

The newline appended to what lands in the clipboard means the user doesn't get the chance to review what appears on the terminal command line: as soon as they paste from the clipboard to the terminal, it executes.

Dylan Ayrey, who published the exploit at GitHub, explains: “If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user's clipboard with malicious code”.

Another example he gives is:

touch ~/.evil

clear

echo "not evil"

“This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal”, he writes.

Since it's the act of copying that triggers the JavaScript, copying a single letter of a crafted string is sufficient to get the malicious content dropped in the clipboard, and Ayrey notes that the attack can be used to exploit Vim as well. ®