• glibg10b@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      10 months ago

      JavaScript can be used to get your password (if you enter it somewhere after pasting) or a session token, which gives an attacker temporary access to your account, unless a website is designed well enough to suspect that the attacker is not you.

    • Black616Angel@feddit.de
      link
      fedilink
      arrow-up
      9
      ·
      10 months ago

      Now what most people don’t know is that websites can insert arbitrary text when you copy stuff of them. A malicious site will abuse that.

      It works like that:

      You follow a tutorial online or search for a code snippet. You copy some code/said snippet and paste it into a terminal or the browser command line. This copied text is altered by the site to be a one line command to install malware or grab passwords or cookies. All of that is followed by a line break and maybe your real command to lower suspicion.

      Some of the terminal or browser shells interpret a line break in the copied text as enter which then executes the command.

      To prevent that, get a shell, that doesn’t just execute what you paste (fish shell) or a terminal program, that warns you about line breaks (Moba xterm).
      And please check text from unknown sites before pasting it into a program that may execute it right away. (Just paste it into a text editor or look at your clipboard manager like Win+V in windows)