Opera rolls out Paste Protect feature to fight ClickFix attacks

Opera rolls out Paste Protect feature to fight ClickFix attacks

Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering.

ClickFix is a widely used technique where victims are deceived into copying dangerous code or commands to the clipboard and then executing them in the command-line interface.

Typically, the ruse is a verification process or some form of problem-fixing instructions. However, they are only designed to trick the target into performing dangerous actions.

image

The commands execute with the user’s privileges, bypassing existing security defenses, and many times lead to the delivery of information-stealer malware.

The method is to popular with threat actors that Apple recently introduced a security feature designed specifically to detect risky pastes in the Terminal and block them before alerting the user.

Opera’s approach with Paste Protect is similar: it blocks harmful commands before they are copied to the browser clipboard.

The new security mechanism leverages Hijack protection, introduced in 2021, which can detect attempts from external applications to replace copied content (e.g., URLs or bank account numbers) with malicious alternatives, as well as a new component called Injection protection.

Injection protection blocks potentially harmful commands before they reach the clipboard, regardless if the action is initiated by the user or a website they visit.

Opera says it uses platform-specific detection rules to scan copied content for patterns commonly associated with malicious scripts and commands, supporting Windows, macOS, and Linux.

When Paste Protect detects suspicious clipboard content, it blocks the copy operation, displays a warning, and shows a red security indicator in the browser's address bar.

“If a potential threat is detected, the copy action is automatically blocked,” describes Opera.

“You'll see a popup explaining what happened, and a red warning icon will appear in the address bar.”

In such cases, users can view the first 120 characters of the blocked script, and they can approve the process of copying it after a 5-second timeout.

Viewing the script content
Viewing the script contentSource: Opera

Users will also have the option to create allow-lists with trusted websites to minimize the friction from repeated blocks by Opera's new security system.

“If you really know what you’re doing, for example if you’re a developer who regularly copies scripts or commands from trusted sources like GitHub, you can also set trusted websites where it’s allowed to copy scripts by selecting “Always allow from this site” in the popup,” explained Opera.

Paste Protect is enabled by default in the latest Opera release, and users can manage it through Settings → Privacy & Security → Paste Protect.

As a general recommendation, users should avoid executing commands they found online that they don’t fully understand and treat all such prompts with suspicion.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Top News: