source via
HackerNews
comment
The webpage discourages copying a terminal command from a website and
pasting it into your terminal. It shows how a nefarious webpage designer
can make you think that you are copying one command while you are
actually copying another.
Some thoughts:
- I’m always blown away at how easy it is to piggy back a security
threat onto natural human laziness.
- There’s a separation (in my terminal) between paste and run. So I
have an opportunity to catch egregious changes, like the one in the
example. Is it always the case that a terminal separates paste from run?
I don’t think so. Tbf, this article is well over a decade old when I
first accessed it.
- The “malicious” command is hidden in the HTML. Not JavaScript. On
the one hand, it’s easy to see if you’re looking at the unrendered HTML.
On the other hand - who does that? Lots of people turn off JavaScript.
HTML is the website…