"Don't Copy-Paste commands from webpages — you can get hacked"
Problem is that a copy paste often can contain a lot of other 'sh*t' and that makes it dangerous. We always recommended to open a plain ascii editor, paste it there and see if there is no other code there. It is an old and sane advise
>"We always recommended to open a plain ascii editor, paste it there and see if there is no other code there. It is an old and sane advise"
The best advise is to not use a desktop terminal at all, only use the gettys started by init.
The clipboard has often been a source of data leaks, going back to beginning of GUIs.
I looked up this specific exploit, and it's called "pastejacking". It was first discovered about six years ago by Dylan Ayrey and apparently recently rediscovered independently by Gabriel Friedlander.
In essence, the clipboard is a user-level IPC, and those are always attractive security targets.
GUI = graphical user interface
IPC = interprocess communication
man getty
man init
@lupyuen
The issue here is not that Javascript can respond to events -- that's a useful feature. The problem is that JavaScript has access to the clipboard. When did they add that feature? Who's numb-skull idea was that? Can they read the clipboard as well? That'd be a huge security issue as well.
I can see no legitimate purpose to allowing JavaScript on a web page to have access to the clipboard.