Is it risky to enter your password in a terminal while a browser has a website open?
Suppose I want to do something, or solve a problem I’m having, and I search on the internet for information about what I’m trying to do, and I eventually come across a website that looks as if it might be helpful. And the website tells me to open a terminal and enter, let’s say,
And I copy-and-paste that into a terminal. Now, if I enter my password in the terminal while the website is still open, does that involve any risk that my password will end up in the hands of whoever is running that website?
Addendum: it should go without saying, but just for the record, of course I don’t plan to enter random commands from the internet into a terminal without first trying to understand what they do.
While it is rather unlikely that websites with such instructions have malicious code, it can indeed happen…
A normal unmodified Ubuntu install will protect you, though if you modify your install then there are indeed some risks…
Switching your session from Wayland back to Xorg means the apps on your screen actually share resources and through that a malicious website could try to spy on keystrokes or use other mechanisms to achieve its goal…
But first of all such a website would have to exploit some browser security issue to be able to access the world outside of the browser though… in a default Ubuntu install your browser comes in a snap package which means it runs in a sandbox and websites that would achieve breaking out of the browser would only end up in the sandbox but not be able to sniff some input from another window…
So while your scenario is technically possible a default Ubuntu will prevent such a thing from happening, when you modify your system by i.e. installing an un-sandboxed browser or switching to Xorg (or doing other changes that might drop security in the respective areas, the above are just two random examples) you should be aware that you might be degrading your security…
In general though I think it is rather unlikely that such a website with some Linux install instructions actually has malicious code, I doubt the benefit actually pays for the effort (getting money for ads on the site likely pays off more than stealing passwords from some very few people that run badly configured systems)
has given you a more comprehensive reply than I was able to think up. But I will add some information. “Cookies.” When cookies first started appearing on web sites Linux users were very worried indeed. Linux developers are born security concerned.
Due to the concerns being expressed at the time we now find that web sites inform us about cookies and offer options to manage them.
If you are using Firefox go to Settings>Privacy & Security and read about Browser Privacy. I quote what is said about the Balanced setting which I think is the default setting.
Standard
Balanced for protection and performance. Pages will load normally.
Firefox blocks the following:
Social media trackers
Cross-site cookies in all windows
Tracking content in Private Windows
Cryptominers
Fingerprinters
Includes Total Cookie Protection, our most powerful privacy feature ever
Total Cookie Protection contains cookies to the site you’re on, so trackers can’t use them to follow you between sites
It sounds sensible to me. Check out the two other settings available to users.
Here is an article aimed at system administrators that you might find re-assuring.