Skip to content

Hacking with Copy & Paste (and a blog)

If you happen to own a Linux system, I am sure you already searched for solutions to problems on the Internet, only to find smart people that wrote down the solutions for you.

The most voted question on AskUbuntu, a forum to ask questions about one of the most popular Linux distributions, says: “How to list all installed packages“. The most upvoted answer is:

The apt tool on Ubuntu 14.04 and above makes this very easy.

apt list --installed

The usual proceeding is to copy the above line, open your terminal (Control-Alt-T on most distros) and paste the line.

Now, AskUbuntu is pretty popular, and also pretty trusted in the community. Still, people often reproduce the answers on private blogs like this cool blog and this is what I will do to show you how dangerous copying commands is.

Take the following example

Hey guys! Today I will show you how to make your computer say cool stuff! Open a terminal, and enter the following code (and turn the volume up):

echo "You were HACKED" #"Hey there, I am your computer! Nice to meet you!"

SO much FUNNN!!

Okay, back to serious business! The command as you see it above is legitimate, but the copy is not. Try to copy the above code and paste it into your terminal. If you don’t trust me, paste it inside the following field:

Apart from the unicode characters in there, you can see there are two commands. The one you saw above, and a new one that was not there before. If you pasted it into a terminal, you most probably got only the last command. This is dangerous, because as you can see, I can insert whatever command I want.

This works using two techniques. The first is using an invisible font in this post (font size 0). This is how it looks without “hiding”:

echo <small style="font-size: 0px">"You were HACKED" #</small>"Hey there, I am your computer! Nice to meet you!"

Another trick is achieved by using Unicode characters to control the terminal. As you may know, there are some commands that can be entered using the Ctrl key (more examples below). You can also manipulate the clipboard with JavaScript, so there is really no limit to the deception of users.

Therefore, never paste code into terminals. And if you have to do it, because the snippet is too long or you are lazy, first paste it into a regular text editor, then copy it from there.

Some more control command examples

Update 2020:

The Unicode characters do not seem to work in WordPress anymore. You can still play around with small or invisible fonts, but Unicode seems to not be converted by the blog engine.

The examples below were converted to code listings, so you can see what unicode characters were included before.

Here are some more examples. The “malicious” code is always echo "HACKED", so you can safely enter it into a console, but you can inspect the source code if you want to see how the examples work. The codes are taken from

Using Control-C (^C) to abort the previous command:

echo "install this stuff" &#3; echo "HACKED";

Using Control-H (^H) to remove previous characters:

echo "install this stuff" &#8;&#8;&#8;&#8;&#8;&#8;&#8;&#8;&#8; "HACKED";

Using Control-M (^M) to confirm commands:

echo "install this stuff" &#D; "HACKED";
Published inIT-SecurityTips and Tricks

One Comment

  1. […] Top five also includes UK, India and France. Surprisingly, my most successful post was “Hacking with Copy and Paste“, which I do not consider especially interesting, but apparently I was […]

Leave a Reply

Your email address will not be published.