Clicking On Web Site Text Automatically Runs Commands In Terminal?

2022-01-12 - By Robert Elder

     2022-01-24 Update: this feature appears to have been removed in chromium Version 97.0.4692.99.

     I used to be with it, but then they changed what 'it' was.  Now what I'm with isn't 'it', and what's 'it' seems weird and scary to me.

     The purpose of this blog post is to document a web browser 'feature' that I noticed recently that really concerns me, and it may concern you too if you use terminals.  I have found that by simply 'clicking' and accidentally dragging a piece of text, the text will then be fed as input to any terminal program that I have open in the background.  This is not some kind of hard to replicate corner case, and it happens all the time by accidentally dragging things even by 1 pixel.  This blog post is the last stage of me finally figuring out who was typing all of those news URLs at random positions in documents that I was editing in vim.  This behaviour happens for me even when the terminal window is in the background and has no window focus when using Chromium browser (version 97.0.4692.71) on Ubuntu 20.04.1.

Click Dragged Text Automatically Runs In Terminal

     Here are the steps that I found to replicate this problematic case:

• 1)  Open a basic 'gnome-terminal' window and maximize it.
• 2)  Open chromium-browser and maximize it.  Make sure that the terminal isn't visible on screen and also that it doesn't have window focus. Your window focus should only be in Chromium browser.
• 3)  Click on the selected text in either text area below and drag it slightly, even by as much as a single pixel, then let go.
• 4)  Now, switch back to the terminal window.  All of the commands were typed into your terminal.  The ones with a newline after them will have been executed.

     will run the first 'echo' statement and paste the second one.

     Click dragging this text:

     will run the first 'echo' statement and then open 'gnome-calculator'.

     There is nothing special about the text areas here.  This happens with all selected text on all web pages (including this sentence).

Video Demo

     Here is a video demo illustrating the behaviour described above:

Out Of Touch Old Man Complains

     Why is anything like this even remotely possible?  If I was teaching someone to use a computer, and they asked me a question like "If I click on this 'rm' command on some random tutorial web page, will it automatically run the command on my computer and delete my files?" I would think to myself "Wow, this person really doesn't know what they're doing."  It turns out that despite spending $80,000 getting a degree in software engineering and dedicating my life to understanding computers I am the one who doesn't know what they're doing.

     I did a bit of googling to try and figure out how to turn this feature off, but I can't find any setting.  I didn't look too hard though because I have better things to do with my life.

     Drag and drop web-based user interfaces have always seemed like a terrible idea to me in the first place.  Why do we have to keep adding all these unnecessary garbage features that introduce huge security issues like this?  It's OK... you don't have to listen to me.  I'm just a cranky old man now.  BRB one sec, I've just gotta go yell at those neighborhood kids who are quietly sitting on the steps minding their own business and looking at their phones: "Hey!  Are you kids using mobile apps again?  Don't you know how much personal data they scrape from your phone?  Back in my day, we did everything in a browser with a strong security model!  We didn't let these apps steal all out data..."  Oh, they ran away again.

     Kids these days would argue that the correct thing to do is to spend the next few hours carefully researching everything there is to know about the latest web-based drag and drop event models.  This way, old people like me would finally learn how to use computers properly and avoid this problem.  However, I now find myself adding to the to-do list of 'new security things' faster than I can actually learn them.  I will instead simply admit defeat and acknowledge that I'm just an out-of-touch old man who's starting to lose their grip on reality.  Instead of trying to resolve this problem, I will stick to my ever shrinking patterns of behaviour that I find safe and comfortable.

Amazon Cloud Servers For Beginners: Console VS Command-Line Published 2017-03-20	$1.00 CAD Terminal Block Mining Simulation Game	How To Force The 'true' Command To Return 'false' Published 2023-07-09	The Regular Expression Visualizer, Simulator & Cross-Compiler Tool Published 2020-07-09
A Surprisingly Common Mistake Involving Wildcards & The Find Command Published 2020-01-21	A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera Published 2019-08-01	Why Is It so Hard to Detect Keyup Event on Linux? Published 2019-01-10	The Most Confusing Grep Mistakes I've Ever Made Published 2020-11-02

Join My Mailing List Email: Privacy Policy

Why Bother Subscribing? Free Software/Engineering Content. I publish all of my educational content publicly for free so everybody can make use of it.  Why bother signing up for a paid 'course', when you can just sign up for this email list? Read about cool new products that I'm building. How do I make money? Glad you asked!  You'll get some emails with examples of things that I sell.  You might even get some business ideas of your own :) People actually like this email list. I know that sounds crazy, because who actually subscribes to email lists these days, right?  Well, some do, and if you end up not liking it, I give you permission to unsubscribe and mark it as spam.