baahemian
101Be careful.
Interstellar_1That’s a sneaky one.
KusimulkkuYou’re probably sarcastic but
paste this random line in the terminal and run it
sneaky
Hmm
It opens the run dialog, which I’m sure the vast majority of Windows users have never heard of. This would trick a lot of people who just trust whatever their computer asks them to do.
It’s not sneaky, it’s just people are morons and fall for the simplest shit
@Kusimulkku @rhombus there's no reason to be so mean. There's a lot of smart people who have never heard of the run dialog because why would they? This trick is frighteningly good, in fact.
Andreas K@chx @Kusimulkku @rhombus
Yeah, you wanted to say there are a ton of people that are using a highly potent tool, without even understanding the basic handling of it.
Put differently, would you take your kid on a duo-flight on an armed jet, and let them take control and press random buttons?
Oops, that was half of your hometown.
Seriously, most PCs are not "armed", but still, you can do harm if you do not know what you are doing, in general.
@chx @Kusimulkku @rhombus
And report after report comes out, that with perhaps the exception to 1-2 generations, most people are IT illiterate.
And report after report comes out, that with perhaps the exception to 1-2 generations, most people are IT illiterate.
@chx @Kusimulkku @rhombus
BTW, we solved the mystery why my daughter uses regularly exceeding 100GB on her mobile.
Actually I wanted to show her how she can scan something on our scanner in the home office herself.
So I let her install the Mopria scan app.
Hmmm, no scanner there. I told her you have to turn on Wi-Fi. Funny, the neighbour's scanner showed up in WIFI-Direct. That was the moment I got my hands on her mobile (a seldom granted privilege). She literally hadn't added our WLAN. 🤷
u/lukmly013 💾 (lemmy.sdf.org)Not everyone knows everything. Actually, nobody does.
Computers simply became an easily available necessity, thus you get a lot of computer-illiterate people using computers.
Perhaps it would’ve been fairer to say that they’re morons when it comes to computers
Fairer to call at least 80% of people morons because they don’t know one specific computer feature that is mainly used just by IT people?
Seems like the only moron here is you.
Of course it’s fairer. Before it meant that they’re all around idiots. Now it just says they’re idiots when it comes to computers.
Seems like the only moron here is you.
Not when it comes to computers but in some other things for sure
Not morons, just not educated enough about them to understand exactly what the implications of that action are.
You’ve got to remember that these are just simple computer users. These are people of the land. The common clay of the new West.
ZaemzWas that a Blazing Saddles quote?
Kinda like you when it comes to social interaction?
Oh snap!
Are you by chance running Arch btw?
Hah, I used to
JackbyDevPlease show some empathy for those who are not as tech literate as you are. Elitism doesn’t look good on you, friend.
I’m not very concerned about looks
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome wites can write to the clipboard without approval, but they need approval to read. On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.
not when there was a user intent like clicking a button.
For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard
MeatsOfRageExactly, copy requires a click but there’s no rule that the copy has to look like anything particular
danIt doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).
Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone
The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.
The problem is people the talking the copied text and pasting it into the command prompt.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.
but it can place text into the clipboard.
Only as the result of a user interaction, for example by pressing a button.
From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
It’s not like there’s that much of a difference, as far as the Browser is concerned.
would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.
schnurritoThere is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).
It would be possible to do it the way you do, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.
Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it
Yeah, that’s a security hole rhat I hadn’t been aware of.
Wouldn’t it require elevation?
Yet another example of why running as root/admin is a Bad Idea©
Yes. The prompt asking you if you wanted to do it or not would come up next.
Avid AmoebaDeploy a user-level payload that is auto started on login. The computer is now part of the botnet and can already be used for useful ops. Deploy a privilege escalation payload later if needed.
Dave.90% of users when presented with the UAC popup appears when they do something:
“Yes yes whateverrr” <click>
🤷♂️ people are going to take the path of least resistance
It would be trivial to add a “please click ‘yes’ to the UAC prompt to allow verification” screen, so that isn’t really going to stop anyone.
I’ve seen a bit of office malware in the past that did that, where it had a bunch of images instructing you to enable macros and that.
No, why would it? It will run code in the context of the current user which is absolutely enough to start a new process that will run in the background, download more code from a attacker server and allow remote access. The attacker will only have as much permissions as the user executing the code but that is enough to steal their files, run a keyloggers, steal their sessions for other websites etc.
They can try to escalate to the admin user, but when targeting private victims, all the data that is worth stealing is available to the user and does not require admin privs.
Exactly. The moment you hit Enter, the computer becomes part of a botnet on every login.
Once you run something on windows, elevation is just a thing of using the right toolbox.
BezierThat should be easy on windows, but user permissions might also be enough for whatever it does.
Michael Gemar@101 That’s diabolically simple.
(It’s arguable that on a consumer OS one should have to enter a user password before dropping into the command line, at least as the default behavior.)
melroyFailed to execute child process: "calc.exe" (No such file or directory).. hehe
IninewCrowGeneral rule of thumb for me to interact with a website and read or watch whatever I want … if you require me to do more than two things to show me the content I came to see, I’m closing the tab or windows and moving on.
If it’s really important and security related, I’ll take my time and carefully examine everything I do.
Otherwise I’m not clicking more than twice and definitely not using my keyboard to see your dumb website or TikTok video.
I don’t think I’ve ever gone through anything with less than 2 captchas in years
This isn’t targeting you.
These scumbags are going after the elderly and computer illiterate.
That’s going to catch some people, especially older ones.
RhaedasYet if I was helping my elders over the phone, I'd get all sorts of "What Windows key?", "I can't find that Control key", or "I did that key, the plus key, and then my hand slipped and I minimized everything."
That’s probably why they “helpfully” include a little picture of the symbol on the key, so you know what it looks like.
So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.
CosmicTurtle0 [he/him]Fwiw there are a large number of people who volunteer their time and effort toward worthwhile projects. It’s just they don’t get rewarded anywhere near the level of benefit that they provide.
Yup, I used to do that as a hobby, but now that I have kids, I just don’t have the time. There’s no way I could do it full-time, so I have a regular 9-5 that pays reasonably well for a cause I don’t hate. For me, that’s enough.
I hope I can make enough at my day job to go back to working on FOSS projects before I lose my ability to write competent software.