It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read.
On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.@SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.
not when there was a user intent like clicking a button.
For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard
Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone
Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?
There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).
It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.
The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.
Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”
The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.
The problem is people the talking the copied text and pasting it into the command prompt.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.
but it can place text into the clipboard.
Only as the result of a user interaction, for example by pressing a button.
From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
It’s not like there’s that much of a difference, as far as the Browser is concerned.
would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.
Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular
It doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).
It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That’s usually a button press or keypress.
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it
Yeah, that’s a security hole that I hadn’t been aware of.
As someone tech literate that looks hilarious to follow through with.
But if not, that really does seem similar to a normal captcha with fairly simple steps.
its not working, my krunner bind is windows+d
Why not Alt+F2?
I have fn lock on for volume and brightness, so that becomes Alt+FN+F2
So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.
“To prove that you are human, donate $$$ to Doctors Without Borders.”
“To prove that you are human, register to vote.”
“To prove that you are human, adopt a pet from the local animal shelter.”
To prove you are human, a turtle is upside down, or whatever the blade runner test thing was.
“To prove that you are human, adopt a pet from the local animal shelter.”
I’ve got 22 cats already, but I need to check my email!
PLEASE ADOPT VERIFICATION CAT TO CONTINUE
THEY’RE EATING THE DOGS. THEY’RE EATING THE CATS.
Sorry.
Fwiw there are a large number of people who volunteer their time and effort toward worthwhile projects. It’s just they don’t get rewarded anywhere near the level of benefit that they provide.
Yup, I used to do that as a hobby, but now that I have kids, I just don’t have the time. There’s no way I could do it full-time, so I have a regular 9-5 that pays reasonably well for a cause I don’t hate. For me, that’s enough.
I hope I can make enough at my day job to go back to working on FOSS projects before I lose my ability to write competent software.
When you look at the value proposition purely from a capitalistic standpoint, I get why scammers and black hats exist. I just wish they could point their weapons toward the 1% and pull something similar to a Mr. Robot and redistribute their wealth.
Agreed. Unfortunately, as long as scamming is profitable, people will do it. And this has nothing to do with capitalism, scamming happens under any system where it’s possible to get an advantage by tricking people.
I really wish we’d have better enforcement here. I don’t really know what that should look like (i.e. what mix of oversight vs privacy), but I’m quite annoyed when I see resources put toward harassing regular citizens over stupid things like speeding on an empty road when we could put those resources into tracking and shutting down scammers. I watch some YouTubers who do that, so it’s not like it takes resources we don’t have…
What’s the plagiarism machine, AI/LLM chatbots?
Yes
Don’t forget, they’re slander and disinformation machines too.
The printing press, of course
mhm
Uber
Airbnb
Bitcoin?
LLMs?
VHS
Last two are clearly “US dollars” and “printing press”
I can’t even download and run the first two, those are business innovations! 🤮
Usually I warn my 81 year old dad about these scams. Don’t think I need to worry about this one, he wouldn’t be tech savvy enough to find the windows button
Same here, nothing to worry about
When I saw a women get hacked aftermath. They installed remote access software, however in her downloads you could see the 10 duplicates.
The scum fuck scammer on the phone had to spend at least 45 minutes trying to get them to navigate to their downloads and run the installer.
Our elders are safe from this one lol
Sometimes I feel bad for scammers because I know how long it takes just to freaking reset a password on legitimate support calls at work (and usually that’s someone who’s put in a vague ticket saying “software isn’t working” so I emailed them a “I’m not a psychic” email with a link to schedule a call which requires one to schedule on the next business day just to finally talk on the phone and identify what they couldn’t write out in their ticket 2 days ago) but then I remember that they’re fucking scammers and often fully aware of what they’re doing
That’s going to catch some people, especially older ones.
Yet if I was helping my elders over the phone, I’d get all sorts of “What Windows key?”, “I can’t find that Control key”, or “I did that key, the plus key, and then my hand slipped and I minimized everything.”
That’s probably why they “helpfully” include a little picture of the symbol on the key, so you know what it looks like.
Followed instructions but verification failed, seems like nothing happened except dick got stuck in toaster again. Using Arch, btw.
You have to
pacman -S femboy
first.
I wish more people knew what Run… did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don’t immediately know that means you’re copying text to something.
Especially on a shady site, mind you. But then again, this could be on a phishing email, so that’s not always the case I guess. (I got one from “STARBUCKS” that Gmail didn’t catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).
Could have been sneakier perhaps if it said Shift+Insert instead of Ctrl+V.
Yeah, all this behaviour leads to is more annoyances for the people who do know what they’re doing. People should really learn how the devices they use every day work, which includes stuff like the command prompt. Not necessarily how to use it, but at least what it is and what it can do.
This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn’t immediately trigger that association and response.
Just reported by Mohamed Aruham on Twitter
The oldest tweets I could find that actually started reporting this are from ~16 days ago.
https://x.com/Piotrdotcom/status/1829126494574067992
They reference a page here that was posted on Aug 29th.
Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.
We now need a “verify you are a captcha” mechanism to counter this.
This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It’s a shortcut for closing the game. Worked way to many times
I do see this working
Don’t have to tell me, I just tried summoning quillbeasts while looking at health bars
also makes the victims self selecting, much like the deliberate spelling errors in scam mails.
We’d constantly get people by telling them holding alt and typing fax would get mirc to give them ops. Usually about a quarter of the channel would drop out.
ALT+F4 for free funds, opened alot of slots on bfh servers whenever my friends couldn’t join.
was funny when someone said “alt f4” and 3 people immediately leave LOL
Haha, god I loved doing this on Counter-Strike. “Did you guys hear about the hidden tit pics in counter strike? No shit, hold alt and press f4 and it shows the best tits I’ve ever seen. I don’t know how game developers get away with this stuff.”
Half the lobby is gone, the other half is laughing.
“Cheat Enabled.”
btw if you want to try and hack me, my IP is 127.0.0.1
/disco mode on
Yeah, and you can dupe items in RuneScape by dropping them and pressing Alt+F4. Don’t worry, I’ll stand way over here to prove I’m not trying to steal it. If I try to pick up the item you’ll see me move, and you can just pick it up first.
The day of a new patch in WoW I said in general chat “wow, they finally put a confirmation when you type /gquit , crazy how long it took” and sit in town and watch peoples guild names disappear
That is extremely hilarious
Except for the fact that a lot of less tech savvy people will fall for it.
Failed to execute child process: “calc.exe” (No such file or directory)… hehe