Closed
Bug 1240392
Opened 8 years ago
Closed 8 years ago
Copypaste of invisible text allows to trick user to execute malicious code
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 504748
People
(Reporter: george.shuklin, Unassigned)
Details
Attachments
(1 file)
3.85 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Iceweasel/40.0.3 Build ID: 20150828094949 Steps to reproduce: Copy and paste of the text from few spans/divs with position: absolute allows attacker to trick user to copypaste innocent code with hidden malicious code. 1. Go to http://sli.su/linux_copy/index.html 2. Copypaste text 'apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man' Actual results: Instead of simple apt-get install following code was copypasted: apt-get u set +o history && echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh && printf "\033c" && set -o history sudo su apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man Expected results: Only visible text should be copyied. (just in case I attach original html)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Component: Untriaged → General
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•