Be careful.

BearOfaTime , 7 hours ago

Wouldn’t it require elevation?

Yet another example of why running as root/admin is a Bad Idea©

IsThisAnAI , 7 hours ago (edited 7 hours ago)

Yes. The prompt asking you if you wanted to do it or not would come up next. Unless they figured out some sneaky way to do something to avoid using admin.

avidamoeba , 6 hours ago

Deploy a user-level payload that is auto started on login. The computer is now part of the botnet and can already be used for useful ops. Deploy a privilege escalation payload later if needed.

dgriffith , 6 hours ago (edited 6 hours ago)

90% of users when they are presented with the UAC popup when they do something:

“Yes yes whateverrr” <click>

IsThisAnAI , 6 hours ago

🤷‍♂️ people are going to take the path of least resistance

groet , 7 hours ago

No, why would it? It will run code in the context of the current user which is absolutely enough to start a new process that will run in the background, download more code from a attacker server and allow remote access. The attacker will only have as much permissions as the user executing the code but that is enough to steal their files, run a keyloggers, steal their sessions for other websites etc.

They can try to escalate to the admin user, but when targeting private victims, all the data that is worth stealing is available to the user and does not require admin privs.

avidamoeba , 6 hours ago (edited 6 hours ago)

Exactly. The moment you hit Enter, the computer becomes part of a botnet on every login.

Womble , 5 hours ago

https://lemmy.world/pictrs/image/73b90d70-568e-458e-aaad-93513caf72a9.png

Treczoks , 6 hours ago

Once you run something on windows, elevation is just a thing of using the right toolbox.

Bezier , 5 hours ago

That should be easy on windows, but user permissions might also be enough for whatever it does.

Kethal , 7 hours ago (edited 6 hours ago)

It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.

@SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.

SkaveRat , 7 hours ago

not when there was a user intent like clicking a button.

For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard

MeatsOfRage , 7 hours ago (edited 3 hours ago)

Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular

dan , 10 minutes ago (edited 4 minutes ago)

It doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).

It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That’s usually a button press or keypress.

lando55 , 5 hours ago (edited 5 hours ago)

Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone

Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?

madcaesar , 4 hours ago

The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.

The problem is people the talking the copied text and pasting it into the command prompt.

lando55 , 4 hours ago

Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.

Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.

dan , 11 minutes ago

but it can place text into the clipboard.

Only as the result of a user interaction, for example by pressing a button.

schnurrito , 4 hours ago (edited 4 hours ago)

There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).

It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.

The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.

MeatsOfRage , 3 hours ago

Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”

Interstellar_1 , 7 hours ago

That’s a sneaky one.

Kusimulkku , 5 hours ago (edited 5 hours ago)

You’re probably sarcastic but

paste this random line in the run prompt (or what’s it called) and run it

sneaky

Hmm

rhombus , 5 hours ago

It opens the run dialog, which I’m sure the vast majority of Windows users have never heard of. This would trick a lot of people who just trust whatever their computer asks them to do.

Kusimulkku , 5 hours ago

It’s not sneaky, it’s just people are morons and fall for the simplest shit

user224 , 4 hours ago

Not everyone knows everything. Actually, nobody does.

Computers simply became an easily available necessity, thus you get a lot of computer-illiterate people using computers.

Kusimulkku , 4 hours ago

Perhaps it would’ve been fairer to say that they’re morons when it comes to computers

Honytawk , 4 hours ago

Fairer to call at least 80% of people morons because they don’t know one specific computer feature that is mainly used just by IT people?

Seems like the only moron here is you.

Kusimulkku , 4 hours ago (edited 3 hours ago)

Of course it’s fairer. Before it meant that they’re all around idiots. Now it just says they’re idiots when it comes to computers. There might be aspects they’re not idiots in, but if they’re running random commands, computers isn’t one of them.

Seems like the only moron here is you.

Not when it comes to computers but in some other things for sure

notabot , 4 hours ago

Not morons, just not educated enough about them to understand exactly what the implications of that action are.

Kusimulkku , 4 hours ago

You’ve got to remember that these are just simple computer users. These are people of the land. The common clay of the new West.

can , 4 hours ago

Kinda like you when it comes to social interaction?

Kusimulkku , 4 hours ago

Oh snap!

yarrage , 3 hours ago

Are you by chance running Arch btw?

Kusimulkku , 3 hours ago

Hah, I used to