Attention Developers: Be Careful When Copying Code
A new attack vector has been making the rounds, and developers of all kinds will want to pay attention. Many IT professionals may think that their experience in the cyber-world makes them immune to malware, phishing, and other security breaches, but this new method is targeted directly at developers—and it’s hitting them through a mainstay of their development toolbox: copy-pasted code snippets.
It's common practice for web developers to search for code snippets online and copy them into projects. Doing so saves time and limits the potential for mistakes in commonly used code. The practice is so widespread that entire websites are devoted to sharing standard code and specially formatted to make it easy for developers to use the snippets they need. Unfortunately, bad actors have found a way to make this shortcut risky for developers.
How It Works
The attack hinges on JavaScript embedded underneath the surface text. To use this attack vector, bad actors insert JavaScript commands in the website's underlying code. When the user highlights and copies the text, everything looks fine—but what is actually copied to the clipboard is not the text they see on the website.
Many people have likely encountered something similar before, though with less troubling results. News sites and blogs sometimes add attributions to copied text that's pasted elsewhere to let readers know where the information originated. In both cases—the attribution example and the attack method—it's not until the user pastes the text elsewhere that they can see it's been altered. Therein lies the danger.
Unlike information from a news outlet, copied code is meant to be executed. That's what hackers are banking on. The altered code can include commands of any kind and, in the worst cases, result in a remote load execution that downloads a shell script in your active session. Some even include an instruction to execute, which means the code will run immediately upon pasting into the command line. This can spell massive trouble for anyone copy-pasting code.
Whom to Trust
So, with this attack method out in the open, is there anyone developers can trust to provide clean code snippets? The short answer is no. Even a site hosted and maintained by someone they know can be risky because bad actors can hack into existing sites and alter code from trusted sources. The site's publisher may not even realize that there is an issue because they'd need to investigate the source code to find it. This is an especially serious and growing problem when it comes to supply chain attacks. According to research from the European Agency for Cybersecurity, 66 percent of attacks focused on supplier code.
As distressing as it may be to hear, the only code a developer can trust is code they've written or verified themselves by pasting into a word processer. While it might be tempting to skip this step, the consequences could be devastating. Developers who want to protect their data would do well to avoid executing code they haven't reviewed personally.
To learn more about this possible attack vector, listen to Root Causes, episode 200, "Why Not to Copy and Paste Commands from Web Pages."