Copy and Paste for Malware

Copy-And-PasteUsing copy and paste to save text from websites is something all of us commonly do.  Nothing could be simpler, right?  Highlight your text, then <ctrl> c, and <ctrl> v.  It turns out that this can be dangerous.

A new article on Naked Security tells how it is now possible to use copy and paste to inject malware code from a web site into your computer.  This is, of course, something you don’t probably want to do, but evidently there is an exploit that uses Java or CSS code to inject malware using copy and paste.  This is called pastejacking, if you are trying to keep up on your jargon list.

If you want the specifics, I recommend you click through to Naked Security, but if you just want to avoid this problem, I have a simple solution.  Use Notepad.

In my work as a web site designer, I have used Notepad as a tool to remove embedded formatting and font styles from text in Word and other document formats that I wanted to use on the web site.  Copying from the source and pasting into Notepad removes all formatting and leaves simple text behind.  Then copy from Notepad and paste the text into your web page, and the website formatting takes over and everything looks like it should, without a lot of tedious re-typing.

Perhaps you have had to borrow clips of text from the web for a project and had the same problem with the embedded format changing the look of your document.  Now you know how to make that work better.

Notepad will strip out the hidden Java and CSS scripting, too.  So the best way to prevent this sort of exploit is to copy from your web page, paste into Notepad, then copy from notepad, and paste into your destination document.  Extra step in there, I know, but there are additional benefits beyond security as we have shown.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.