Honestly, a Modulo-Captcha wouldn’t be that bad of an idea?
Sure, it’s not really “non-dev-proof”; but I guess a simple “To enable pasting, please type result to the following formula: 5%3” would at least stop some people that will glady ignore the warning because obviously nobody wants to let you hack other Facebook accounts, but those guys told me it’s fine - but will already be confused and then feel smart by entering 0.15 because 5% of 3 is 0.15 … and wonder why it doesn’t work
Now what most people don’t know is that websites can insert arbitrary text when you copy stuff of them. A malicious site will abuse that.
It works like that:
You follow a tutorial online or search for a code snippet. You copy some code/said snippet and paste it into a terminal or the browser command line. This copied text is altered by the site to be a one line command to install malware or grab passwords or cookies. All of that is followed by a line break and maybe your real command to lower suspicion.
Some of the terminal or browser shells interpret a line break in the copied text as enter which then executes the command.
To prevent that, get a shell, that doesn’t just execute what you paste (fish shell) or a terminal program, that warns you about line breaks (Moba xterm).
And please check text from unknown sites before pasting it into a program that may execute it right away. (Just paste it into a text editor or look at your clipboard manager like Win+V in windows)
Firefox has a built-in warning against pasting. I think Chromium too. I don’t think they warn about account theft, though.
Chromium now requires you to type a string inside the console before it lets you paste anything.
Soon browsers will require you to implement fizzbuzz in the console before enabling paste 😅
Honestly, a Modulo-Captcha wouldn’t be that bad of an idea?
Sure, it’s not really “non-dev-proof”; but I guess a simple “To enable pasting, please type result to the following formula: 5%3” would at least stop some people that will glady ignore the warning because obviously nobody wants to let you hack other Facebook accounts, but those guys told me it’s fine - but will already be confused and then feel smart by entering 0.15 because 5% of 3 is 0.15 … and wonder why it doesn’t work
What would a pasting attack look like and how would it work?
Now what most people don’t know is that websites can insert arbitrary text when you copy stuff of them. A malicious site will abuse that.
It works like that:
You follow a tutorial online or search for a code snippet. You copy some code/said snippet and paste it into a terminal or the browser command line. This copied text is altered by the site to be a one line command to install malware or grab passwords or cookies. All of that is followed by a line break and maybe your real command to lower suspicion.
Some of the terminal or browser shells interpret a line break in the copied text as enter which then executes the command.
To prevent that, get a shell, that doesn’t just execute what you paste (fish shell) or a terminal program, that warns you about line breaks (Moba xterm).
And please check text from unknown sites before pasting it into a program that may execute it right away. (Just paste it into a text editor or look at your clipboard manager like Win+V in windows)