Closed Bug 1240392 Opened 9 years ago Closed 9 years ago

Copypaste of invisible text allows to trick user to execute malicious code

Categories

(Firefox :: General, defect)

40 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 504748

People

(Reporter: george.shuklin, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Iceweasel/40.0.3 Build ID: 20150828094949 Steps to reproduce: Copy and paste of the text from few spans/divs with position: absolute allows attacker to trick user to copypaste innocent code with hidden malicious code. 1. Go to http://sli.su/linux_copy/index.html 2. Copypaste text 'apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man' Actual results: Instead of simple apt-get install following code was copypasted: apt-get u set +o history && echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh && printf "\033c" && set -o history sudo su apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man Expected results: Only visible text should be copyied. (just in case I attach original html)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → General
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: