Pastejacking attack relies on your clipboard as an attack vector

The Pastejacking Attack exploits JavaScript to override the clipboard content and trick victims into running malicious code.

The security expert Dylan Ayrey has devised a new attack technique dubbed the Pastejacking attack that leverages on the victim’s clipboard.

The possibility of manipulating the clipboard without a victim noticing it a known for a long time, it is possible to do it by using HTML/CSS in a type of attack known as ‘clipboard hijacking’. Attackers can write malicious code in the clipboard and then fool victims into executing terminal commands.

This type of attack is known as clipboard hijacking, and in most scenarios, it is useless, except when the user copies something inside their terminal.

The new attack scenario sees victims receiving a phishing e-mail purporting to be from tech support could trick them into dropping a message into a terminal window and executing it. In reality, the attacker is exploiting the machine clipboard to launch the attack.

“Browsers now allow developers to automatically add content to a user’s clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn’t want to get ran, and gain code execution.” is the description of the Pastejacking attack published on GitHub by Ayrey. “It should also be noted, for some time similar attacks have been possible via html/css. What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM, all shown below.”

The expert published a proof-of-concept of the Pastjacking attack in which he asks users to copy the command echo “not evil” into the terminal, but the content stored in the clipboard is

echo “evil”\n.

The newline character appended to command doesn’t offer the opportunity to the user to modify it when he will paste the content from the clipboard to the terminal.

“If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user’s clipboard with malicious code.” explained the expert.

The experts also provided also more sophisticated payloads, like the following one that will create a file in the user’s home directory and clean the terminal.

touch ~/.evil


echo “not evil”

“This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal”, he explains.

JavaScript is much more efficient for clipboard hijacking attacks compared to CSS, for example while using a CSS exploit the user must copy-paste the entire malicious text, a JavaScript exploit is triggered by copy also a single character of the whole malicious text.

This consideration opens the door to a dangerous attack scenario in which the attacker adds the Pastejacking JavaScript code to the entire page. At this point, it is sufficient that victims copy/paste anything inside the console to run unwanted commands.

A possible countermeasure consist in verifying the contents of the clipboard before pasting into a terminal, but the researcher warns where you verify these commands. For example, pasting them into vim, vim macros may be used to exploit your machine.

“An example of this can be seen in this demo and below

copyTextToClipboard(‘echo “evil”\n \x1b:!cat /etc/passwd\n’);

This demo echo evil when pasted in terminal, and it will cat the user’s /etc/passwd file when pasted into vim.”

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

Thank you


Pierluigi Paganini

May 31, 2016

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!