Chrome version 104 accidentally introduced a bug that removes the user’s requirement to approve clipboard write events from websites they visit.
This functionality is not limited to Google Chrome. Safari and Firefox also allow web pages to write to the system clipboard, but have gesture-based protections.
The issue has been identified by Chrome developers, but it has not been fixed yet, so it persists in current versions of the Google Chrome browser for mobile and desktop devices.
What is the problem?
The system clipboard is a temporary storage location in operating systems. It is usually used for copy and paste and can involve sensitive information such as bank account numbers, cryptocurrency wallet chains, or passwords.
Overwriting this temporary storage space with arbitrary content puts users at risk of becoming victims of malicious activity.
Threat actors could lure users to specially crafted websites that masquerade as a legitimate cryptocurrency service. When the user attempts to make a payment and copies the wallet address to the clipboard, the website may write the address of the threat actor to the clipboard.
On some websites, when the user selects text to copy from a web page, additional content (usually the URL of the page) is added to the clipboard. However, in this case, the clipboard is filled with arbitrary content without any visible indication or user interaction.
What protects me from this?
Developer Jeff Johnson highlights in a blog post exploring the issue that all web browsers that support writing to the clipboard have poor and inadequate protections.
User gestures that give a web page permission to use the clipboard API include the keyboard shortcut to copy content (Ctrl+C), but in many cases, any interaction with the website is sufficient.
Johnson tested in Safari and Firefox and found that pressing the down arrow key or using the mouse scroll wheel to navigate a site gave the loaded web page write permission to the clipboard.
Considering how common these actions are, this permission is risky enough to warrant a fix.
Fortunately, Johnson’s tests confirmed that websites cannot abuse this permission to read clipboard content, which would be detrimental to user privacy.
Am I shocked?
To determine if this problem affects your web browser, you can visit “webplatform.news” and then “paste” the contents of your clipboard into a text application, such as Windows Notepad.
If you see the following message, your browser is vulnerable to permission abuse.
However, not all Chromium-based browsers are affected by this issue. In BleepingComputer tests, Brave did not give the test site permission to overwrite the clipboard.
However, Johnson’s built-in test box that populates the visitor’s clipboard with website navigation actions worked across browsers, so the cause of the discrepancy is unclear.
Johnson says that users overly concerned about this issue can use his ‘StopTheMadness’ extension, but warns that they still won’t be 100% protected against arbitrary clipboard overwrites in all circumstances.