TE: Fear the simple copy & paste

Have you ever thought that an operation as simple as copying and pasting materials off your browser might be dangerous? If not, try copying and pasting the following text somewhere:

Copy me; clear; printf "Are you convinced now? I would have had arbitrary control over your terminal if you had pasted this in your terminal\041\n\n"
Copy me? :)

If you did not try, here's what you would have witnessed if you had pasted the text in your terminal:

That wasn't as innocent as you thought, eh? To figure out what happened, let's inspect the source of the text above:

See the boxed up area? That is the area containing the injected code. Notice, however, that the position of the text is set to some extreme negative values. This would effectively position the injected text off the screen even though (to your computer) it actually stands between the two words "Copy me".

Moral of the Story

The moral of the story is to be careful with what you copy and paste off the web, especially if you are copying a command that is to be entered into your terminal! If you do not trust the source, you should err on the side of caution and reproduce the command manually by typing it out. Note that though I have demonstrated only one technique to hijack your clipboard, it's also possible to do the same using other tricks (e.g. using Javascript). Therefore, unless you are ready to vet through the entire source code of the website you are copying materials from, you should either manually reproduce the material (by typing it out manually) or try pasting it into a safe area first (e.g. notepad).