Malicious Copy and Paste Appending

Earlier today I was reading this article on about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice.  That got me thinking about what else could be appended to copied text and how bad guys could use.

So after a little looking around I found this JavaScript that will append text to anything copied.  To test my theory out I setup a secondary tumblr account called and added this javascript to the head of the document:

javascript<script type=“text/javascript”>
function addLink() {
    var body_element = document.getElementsByTagName(‘body’)[0];
    var selection;
    selection = window.getSelection();
        var pagelink = “<br></br> du <br></br> ; // change this if you want
    var copytext = selection + pagelink;
    var newdiv = document.createElement(‘div’);’absolute’;’-99999px’;
    newdiv.innerHTML = copytext;
    window.setTimeout(function() {
document.oncopy = addLink;

and posted this post:


When you copy and paste the echo $PATH command in Firefox and Chrome you get this:

echo $PATH


If you copy and paste directly into a terminal window you get this:

In the javascript I added a non-malicious DU command as an example. You cant see it until you already pasted it and it could just as easily been rm -rf / or a command to SCP all your SSH keys to "The Bad Guys™”.

That is why it is always a good idea to paste all commands into a notepad and not directly into a terminal and a dumb idea to let javascript add information to your clipboard.

Site Footer