On Fri, Sep 28, 2018 at 04:54:03AM -0700, Marcus Linsner wrote: > ie. you think you've copied what you see, but you copied so much more sneaky > text that can takeover your system. > > On this page[1] there's the text "ls -lat" which if you copy then paste in > your terminal, you're actually pasting this whole thing instead: > > ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo > -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep > 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### > (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo > -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking > ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking > ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; > echo 'Use GUI interface using visual basic to track my IP' > ls -lat > > I guess one mitigation would be setting a sudo password, even in VMs?. > Qubes has no password for sudo by default. > > What else can be done? Thoughts? > > If using uMatrix, uBlock Origin and NoScript, all with blocking all by > default, the page only requires allowing (2 pieces of) CSS from > www.blogger.com for this to be completely hidden: ie. you think you copied > "ls -lat", but assuming you don't Ctrl+Shift+C it too AND look at the size of > the copied text in the notification(575 bytes instead of 7), you won't notice > anything abnormal, until pasted in the terminal. > > If not allowing even the CSS, then there's something visible on the left when > "ls -lat" is selected(actually when the space in-between is selected) which > gives it away. I attached the 3 pictures for this case. > > (Not attaching screenshot for when allowing (only) CSS from www.blogger.com > because it's obvious that it looks normal and you can't see the hidden text.) > > [1] > https://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html
I am never in favour of copying and pasting commands in to a terminal. The best "mitigation" is not to do it. An alternative would be to copy the text, paste it in to a plain text editor, inspect what's there and then copy that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180928120654.6zyqf2o27xwbbxc7%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.