You think it is harmless. You want to capture a snippet of code from an online tutorial for future use. You don’t want to re-type it for fear you will make a mistake. So, you decide it’s faster and easier to just copy and paste. Are you aware of what could happen? Did you just make a mistake?
In the code you copied, a hacker may have hidden malicious code that could download and install malware on your computer without your knowledge. If there is an opportunity, a hacker will exploit it. You may think that you will never fall for such a trick but mistakes do happen.
Out with the Old – In with the New
Appending malicious content to a clipboard is not a new concept. Exploits within Cascading Style Sheets (CSS) have been used in the past. An attacker can use CSS to append malicious content in a clipboard without the user knowing making it easy to execute commands. This is known as clipboard hijacking.
A key differentiator in pastejacking is that the code can be delayed to execute after an event. An attacker can wreak hack by combining pastejacking with a malicious phishing email.
There are third-party tools that give you control on whether a script has permission to run, temporarily run or be blocked from a particular site. The problem is that these tools are not 100% foolproof.
In the research paper CrossFire: An Analysis of Firefox Extension Re-Use Vulnerabilities, it identifies nine out of the top popular browser add-ons for FireFox that contain exploitable vulnerabilities. NoScript is one of them. These add-ons are susceptible to what is known as an extension re-use vulnerability. An attacker can piggyback off the trusted add-on extension to conceal malicious behavior.
Don’t rely on third-party tools to protect you from hidden malicious code. Don’t rush to paste that text into your computer. The best course of action is to review what you have copied first in a text editor. Be of the mindset that what you copied is potentially hostile until you have sanitized it.