detect invisible selection / copy buffer / chrome

detect invisible selection / copy buffer / chrome

  • Written by
    Walter Doekes
  • Published on

In Look before you paste from a website to terminal the author rightly warns us about carelessly pasting any input from a web page into the terminal.

This LookBeforePaste Chrome Extension is a quick attempt at trying to warn the user.

Example output when pressing CTRL-C on the malicious code:

\[how it looks in thebrowser\]

Heuristics are defined as follows. They could certainly be improved, but it’s a start.

function isSuspicious(node)
{
    if (node.nodeType == node.ELEMENT_NODE) {
        var style = window.getComputedStyle(node);
        var checks = [
            ['color', style.color == style.backgroundColor],
            ['fontSize', parseInt(style.fontSize) <= 5],
            ['zIndex', parseInt(style.zIndex) < 0],
            ['userSelect', style.userSelect == 'none']
        ];
        for (var i in checks) {
            if (checks[i][1]) {
                console.log('Looks suspicious to me:')
                console.log(node)
                console.log(JSON.stringify(checks))
                return true;
            }
        }
    }
}

I couldn’t be bothered uploading it to the Chrome Store. But if you want to try it, it’s in the blob below:

$ tar cv lookbeforepaste/* | gzip -c | base64
lookbeforepaste/background.html
lookbeforepaste/background.js
lookbeforepaste/icon.png
lookbeforepaste/listen.js
lookbeforepaste/manifest.json
H4sIACf8iVgAA+0ZS2wkR9XehXV2kt0YkWgBIahtwU7P7qg9M56xV+NP7LUdMPHaaL0rQMZyarpr
Znq3p6vVVbNjxzF44WIfUCLBikhcSA45wgEpCClClvABlKAEiQNBnKJIHLhgIaEcVoRXXd093T3j
eA9mTaR52p3urvde1Xuv3nv1Xtmi9E6FVKlLHMw4Gapg/U7NpU3b0Oq8YfUdB+QARnI58cyPlmJP
D/KFUl9+OFcsDJdGiqPFvlx+ZKQw3Idyx7L6EdBkHLsI9bWwxYl7ON1R+E8ojItdnkyN1wk2JlMI
jTPdNR2OmKtPKBFnuM2UyfEhiQTyIUk/XqHGhvgMnnK2k1aqBw8N1uHxf5sd0xpHxH9+JBfE/2ix
WBoR8V8YHe3F/6OAoSF0s24yBP8sig1iIGojx2rWTBsJy3AtBSR3zUYZMcIRZxNXEWtNFAHJ4BeG
sFlOpe6CDW3cIGgCpRMulR5LpfS6SxtEI+uc2Myktkbt64QxXCMaNowFE8hs4qrVpq1zQKsNVsvC
erZBXPm8QZhDbUYyaBOSFEJmFQkijdwlNkcTsKpOnY1CGl26hMQ4IxbxpgoYBAghHZdUzXUQ06Nq
MsfUTdpk6BmUXp5bQN+avrFYRmlUlp9Lz8HLWGwCDkoE7MEicQq9jl0GJIJSs4hd4/U4QYu6RkjA
HMvk6tB32ZWhTAe1UDMyDZpEhdJIVCUBvkRytmaFcVfNZYFwOIOuoLSmaRENtsI3f0tsys2qqWOh
BtN0l2BO1Nj0YluzsZFNvuEQMEwFM1NPx3GIm9wCpOob+oqvLUgi37LwcsW3kRjU6+lMYoqGdI1y
5x55qsLKyUVNndq3XAsw4k1z7Fp6K04BThx6FxgQYYu4XE3XqZnOjEXMkpG22kLEYqSbm1mUkUI6
ugfdLWkR7KrCdsGM3m/Ul9XNLcCJ/ycY/8n8H9jvONfw8n+xeGj9VyzlRf4vFIdLeSj9IP+XCqVe
/n8ksPvNxa+dS31BuOC5+a/P3oDnoPj/2Bn4/fK/PsLw+Of87PTN9b/qxt75J+795Ys7b736YBFN
nt3/+5+eLrx2cH/7lQs7L/UfbKL/nH26NlCZRm+cev+dqRef/Fn/P7avDu7+sn9/9FWriX577yu/
/tLOD18+1/feixd21k4ffAe9ceb9j6YePHn5nU/d2nxq50f3vv3Uzv1pDc/+Cg8Mbl77avPdN1uf
vv2Hu+jf278Z/Gn/h33Tpyv3Piye/+PrU2++8nL/z/d2f4f3lPrzP7b2LqHvLe5eUD6Hzu6qp9Xz
++tnZk9dG0DNx89+frDv1va57Q9G391/vDD14LGd7/cdPHfqzM7p/MDgW/0Hn/3g7T+f35+bevvZ
ve21qb8N7N9H5/vee2nhM0/8ZOr3wkDzc4uzv7j2/A9Obov+p5CMf8s7i4+v9hNwRPyXhvO5sP4b
LeZE/Bd78f9oIFL/udiG4k8nCLwBwYnnbiBHVGgPVQAGhyuy4YhepAZRbfjJpNrlmvjW9LppGQLN
/JImEx6jLuFNF/jjZCu5VagfBb4FYwSpFz0CscqyWbFMuyZKPm/MwS6c0ovesmHxAl9QGyXwY3Gh
IpN1FydC4AsTYJuWBUd4VH2gX6DUUW2owex8FlF4UngKxEwlC1U2dRbMhskD2/h6heNocgLlovVF
IOdMBSbNZGJ1jS8Hd5vElyzkyIl6xc53pa9iqG4SDB5HZPtgqTgvVAbctJsklbQRNItQ69nECCqd
qEGgSJ41XVknP9syVPgGY8SME/OSDrH9RWgOjQNt3P4wmSbEwqbNpNRR8eM7Y7LlsJTs7pzi5yaU
tp4EYmBuYe763OLNtcWl2blkI8H4hiVcq2XaBm1pNcJnaMNpcmIsC4xcIdkYEP2OKPxXYnZdgd7F
om46K+fUvC8hg/xsd+QzArGaTTBXQf9l8wUC/ODhjMzbXJWcASaDxidQqYPxhXnYt/VONjkOTCjX
wdNkxF322p5Q3PaQVyDb1Cbp1ZBttW0CkVZUYQcTQXMpjZHsZcReSMyKubqSX03ifT9kFBa2aE1N
Q6yBSSNNAqfQP5TTmY9ls2NJohvFN5aXFjVopSDkzeqGL1OmkycWgFFEu6XYakcFZNIlUB1aVeS1
FLK5RThoeYT0iRtYre3B1J4BTjV0XM8NiRVzwuWgJ1Uz7SwnwsRk4D4WdhgxkrHlxxQIJzIXopD6
Pf9nWriMlxvENNjW69RtJ1GBpHHkUrUKJ0Ubbed9dJXqTZZgjeGSnJFtnYiYuJ0qJ1B+ZPhqsa3A
jNgnKXy5M6dEnAlol8V9hSAVyZnXxVESWbBOXEA4Lq3girXxTMgYkymeU3Lx5jGewS8+TCJMurt3
4dBw4p4FAyJR58ekZe3cmNyeQwghZ0ozUyCkHYRb3TU79ByLqpxF+UiK8zwtMgfYPDwZkorFYjj0
WZmJYAnWJJqWzsTVOcQboiEWuMEcdq0NhCvU5UIs2N4ItxY6xsX2YJeGvn1bJYLUv69SN73ALSNF
3gQoW53RFJflOlSYyAAVa5h3DXAowLyai8hBZFDC7DQP+LFl0VbXSwakAy4SpP5FUNdkoHG67GWz
IC98vJKhTqG24npNEfnKn7LsLZeN2LUced+Shy+If4PUREvhypmQ5d/1eadBOxEyce1oQA5owIeW
Ct+wYcwJfHhF6N3zwdkjc2FWVjIne4XyiYZk/9fAtlkljEMHSO1jWuOo+5/RUvj3v0KxkBf3/8OF
Yq//exQgIl0JNn0NTn6RC5QyKmRFAlPEBSZ8KaLMQtJPkOcoiqgMFThmvb8ISh7F6yTDjIJYnbYY
FDfRpIUME0PShyTF69BsQGKzTKdCsWt4/YWXCgjW64ibcDpjmSJwUMEjh7ggQ4MYcv22vEpOy8ux
dnqFYZnIFNHHCqJE6lUAu+Ux+WuvSXUY0K4EvLfllxLejCjIL4sVSL9rVRdMJEjEieSPNzCHgtHn
q3PulIeGLg9dhvTpfTH/E4kyeUvOplRcMBZx16SubdHhAMVNi6+Ji1mhQnBB25YdbNKAI1OcCGJF
yRY7KATtKuTjk3a2HvSgBz3oQQ968H8B/wU1tGE0ACgAAA==

Untar with: base64 -d | gunzip -c | tar xv

Update 2017-01-27

A possible improvment to isSuspicious could be:

function isSuspicious(node)
{
    if (node.nodeType == node.ELEMENT_NODE) {
        var style = window.getComputedStyle(node);
        var autoOrZero = function(val) {
            return val == 'auto' || parseInt(val) == 0; };
        var checks = [
            ['color', style.color == style.backgroundColor, style.color],
            ['fontSize', parseInt(style.fontSize) <= 5, style.fontSize],
            ['zIndex', !autoOrZero(style.zIndex), style.zIndex],
            ['left', !autoOrZero(style.left), style.left],
            ['right', !autoOrZero(style.right), style.right],
            ['top', !autoOrZero(style.top), style.top],
            ['bottom', !autoOrZero(style.bottom), style.bottom],
            ['userSelect', style.userSelect == 'none', style.userSelect]
        ];
        var matches = 0;
        for (var i in checks) {
            if (checks[i][1]) {
                matches += 1;
            }
        }
        if (matches >= 2) {
            console.log('Looks suspicious to me:')
            console.log(node)
            console.log(JSON.stringify(checks))
            return true;
        }
    }
}

Back to overview Newer post: Loadbalancer maintenance 22nd february 2017 Older post: convert / dehydrated / certbot / letsencrypt config