Hidden Text Attacks
Your support makes all the difference!
We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!
Hidden Text Attacks
What are Hidden Text Attacks?
Users on the Internet often encounter text snippets which are ready to be copied and to be used in a console or some. This can be very dangerous and users have to be very careful and vigilant when using such "shortcuts". That is because what you think you copy might not be what you will actually copy. Malicious modification of the clipboard can happen.
This issue is unspecific to Kicksecure ™ and probably every user on every operating system vulnerable to this.
Demonstration of a Hidden Text Attack
1. Take a good look at the following copy to paste box in step 3.
Consider this example. Looks innocent enough, just checking if there's updates in your Linux packages. Would you copy it?
2. The copy to paste box contains content
sudo apt update, right? Yes.
3. Copy the following into the clipboard by pressing the copy button.
4. Paste the text into a text editor of your choice.
5. Here is the surprise.
- A) What you think you copied. 1 line.
sudo apt update
- B) This is what you actually copied. 5 lines.
sudo apt install malware1 sudo apt install malware2 sudo apt update
Hidden Text Attacks Discussion
Fortunately there's no Linux package called "malware". But consider a command that download malware and executes it command or something else such as deletion command which could harm your system.
What makes matters worse is the added auto-execution risk when pasting the command. This is because instead of just copying 1 line, multiple lines have been copied. At least in the past in many terminal emulators, commands have been automatically executed. Question Stop terminal auto executing when pasting a command is evidence for this.
The terminal installed by default in Kicksecure ™ (xfce4-terminal at time of writing) comes with an Unsafe Paste Warning Popup when attempting to paste multiple lines.
Of course this specific example can be detected easily as soon as you enter the code into a text editor. However if you simply copy-paste this command into your terminal and press enter before you read it then you might be in some big trouble.
If you copy from a untrustworthy website into you might copy some invisible (not displayed) control characters which could lead to compromises. This is elaborated on the Invisible Malicious Unicode Risks wiki page.
When is a website untrustworthy? Even if a website was trustworthy in the past it should always be considered potentially compromised as hacks could happen any time.
So please be very vigilant.
As you can see the text which you are copying may not be what you expect. A variety of available text-based attacks make the portion of the text invisible to even the most observant users. If the website you are copying the command from becomes compromised or simply is malicious you can be easily tricked into running unexpected code. This can be prevented by pasting the command into a text editor before executing it. This attack is even simpler if the website features a helpful button which lets you easily copy the command into your clipboard.
This quote is from Filip Borkiewicz (0x46.net), chapter "Hidden text attacks". A very helpful article about the dangers of random text pasting.
Protection from Hidden Text Attacks
There are at least two way in which a user can protect oneself from hidden text attacks.
1. Copy from a website.
2. Paste into a graphical text editor.
3. Save the as a local text file.
4. Scan the file for malicious unicode.
5. Understand the copied commands to be run.
Ideally, user should only execute commands which are fully understood by the user. The second best thing would be only executing commands from trusted sources. But what is a trusted source? Websites on the internet might get compromised by adversaries at any time.
6. Copy from the from the local text file.
7. Paste the command into the terminal and execute.
1. Look at the website.
2. Read the commands and manually write them into a terminal.
The disadvantage of this method is that during manually writing the commands, mistakes are often introduced by users.
The disadvantage of these methods is obviously that it is much more cumbersome than a simple copy and paste procedure. A simpler and secure way to use copy/paste has yet to be researched.
Default Interactive Shell
- Invisible Malicious Unicode Risks
- IDN Homograph Attacks
- Unsafe Paste Warning Popup
- virtual consoles