Chrome Allows Sites to Interact with the Clipboard without Permission

Google Chrome version 104 accidentally discovered a bug due to which users are no longer required to have explicit permission to write to the clipboard from the sites they visit. Experts note that similar functionality that allows to interact with the system clipboard is also available in Safari and Firefox, but these browsers have protection based on user gestures.

Let me remind you that we also wrote, for example, that Experts Found More Than 3.6 million Unprotected MySQL Servers, and also that Hackers Use Dark Utilities to Create C&C Infrastructure.

Chrome developers are already aware of the problem, but there is no solution for it yet, which means that it is present in current versions of the browser for mobile devices and desktops.

Researcher and developer Jeff Johnson, who has studied the issue, writes that overwriting the buffer with arbitrary content puts users at risk, as they may become victims of fraud as a result. For example, attackers can lure users to a specially created site that pretends to be a real cryptocurrency service. When a user tries to make a payment and copies the wallet address to the clipboard, the site can change the address to the attacker’s wallet (this is how many malware works).

In his blog, Johnson concludes that, in general, all browsers that support clipboard writing have extremely poor security measures. The aforementioned custom gestures that give a web page permission to use the clipboard API usually involve, for example, a keyboard shortcut to copy content (Ctrl+C), but in many cases, literally any interaction with the site is enough.

Johnson tested not only Chrome, but also Safari and Firefox, and found that even pressing the down key or using the mouse’s scroll wheel to navigate a site also gave permission to write to the clipboard for that web page.

During navigation, a web page may, without your knowledge, erase the current contents of the system clipboard, which could be of value to you, and replace it with whatever it wants. Even one that might be dangerous to you the next time you paste data from the buffer. Why do browser manufacturers allow this at all?Johnson asks.

Luckily, the researcher’s tests showed that sites can’t even read clipboard data, which could seriously damage user privacy.

To test your browser and see for yourself the problem, the researcher advises simply visiting webplatform.news and then pasting the contents of the clipboard into Notepad or any other text-based application. Most likely, the buffer will contain the message shown in the screenshot below.

Chrome and clipboard without permission

To protect the buffer, Johnson recommends that users use his StopTheMadness extension. At the same time, the researcher warns that even this will not protect against overwriting information in the clipboard by 100% and under any circumstances.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.