Google Chrome version 104 accidentally discovered a bug due to which users are no longer required to have explicit permission to write to the clipboard from the sites they visit. Experts note that similar functionality that allows to interact with the system clipboard is also available in Safari and Firefox, but these browsers have protection based on user gestures.
Let me remind you that we also wrote, for example, that Experts Found More Than 3.6 million Unprotected MySQL Servers, and also that Hackers Use Dark Utilities to Create C&C Infrastructure.
Chrome developers are already aware of the problem, but there is no solution for it yet, which means that it is present in current versions of the browser for mobile devices and desktops.
Researcher and developer Jeff Johnson, who has studied the issue, writes that overwriting the buffer with arbitrary content puts users at risk, as they may become victims of fraud as a result. For example, attackers can lure users to a specially created site that pretends to be a real cryptocurrency service. When a user tries to make a payment and copies the wallet address to the clipboard, the site can change the address to the attacker’s wallet (this is how many malware works).
In his blog, Johnson concludes that, in general, all browsers that support clipboard writing have extremely poor security measures. The aforementioned custom gestures that give a web page permission to use the clipboard API usually involve, for example, a keyboard shortcut to copy content (Ctrl+C), but in many cases, literally any interaction with the site is enough.
Johnson tested not only Chrome, but also Safari and Firefox, and found that even pressing the down key or using the mouse’s scroll wheel to navigate a site also gave permission to write to the clipboard for that web page.
Luckily, the researcher’s tests showed that sites can’t even read clipboard data, which could seriously damage user privacy.
To test your browser and see for yourself the problem, the researcher advises simply visiting webplatform.news and then pasting the contents of the clipboard into Notepad or any other text-based application. Most likely, the buffer will contain the message shown in the screenshot below.
To protect the buffer, Johnson recommends that users use his StopTheMadness extension. At the same time, the researcher warns that even this will not protect against overwriting information in the clipboard by 100% and under any circumstances.