Chrome version 104 introduced a bug that removes the requirement for users to approve clipboard writing events from websites visited.
This feature is not limited to Google Chrome. Despite the fact that Safari and Firefox allow web pages to write to the system clipboard, they include gesture-based protections.
What’s the big deal?
On operating systems, the system clipboard is a temporary storage location. It’s commonly used for copy-pasting sensitive information like banking account numbers, cryptocurrency wallet strings, or passwords.
By overwriting this temporary storage space with arbitrary content, users put themselves at risk of becoming victims of malicious activity.
Threat actors may use specially crafted websites impersonating a legitimate cryptocurrency service to entice users. When a user attempts to make a payment and copies the wallet address to the clipboard, the website may copy the threat actor’s address to the clipboard.
When a user selects text to copy from a web page, additional content is appended to the clipboard (usually page URL). However, in this case, the clipboard fills up with random content with no visible indication or user interaction.
What protects me from this?
In a blog post about the topic, developer Jeff Johnson points out that all web browsers that support clipboard writing have poor and insufficient safeguards.
The keyboard shortcut for copying content (Ctrl+C) is one of the user gestures that allows a web page to use the clipboard API, but in many cases, any interaction with the website is sufficient.
Johnson discovered on Safari and Firefox that using the down arrow key or his mouse scroll wheel to navigate a site grants clipboard writing permission to the loaded web page.
Given how common these actions are, this permission is sufficiently dangerous to warrant a fix.
“While you’re navigating a web page, the page can, without your knowledge, erase the current contents of your system clipboard, which may have been valuable to you, and replace them with whatever the page wants, which could be dangerous to you the next time you paste.” – Jeff Johnson
Johnson’s tests, thankfully, confirmed that websites could not abuse this permission to read clipboard contents, which would be harmful to user privacy.
Am I impacted?
To see if this problem affects your web browser, go to “webplatform.news” and then “paste” your clipboard contents into a text editor like Windows Notepad.
If you receive the message below, your browser is vulnerable to permission abuse.
This problem, however, does not affect all Chromium-based browsers. Johnson’s embedded test box, which fills the visitor’s clipboard with website navigation actions, worked on all browsers, so the reason for the discrepancy is unknown.
Users who are overly concerned about this issue can use Johnson’s ‘StopTheMadness‘ Extension, but he warns that they will still be vulnerable to arbitrary clipboard overwrites in all circumstances.