A flaw in the Google Chrome browser and other Chromium-based browsers could enable malicious websites to automatically rewrite the contents of the clipboard without asking the user's permission or requiring any user involvement.
Developer Jeff Johnson claims that the clipboard poisoning exploit was unintentionally added to Chrome version 104. Web pages can also write to the system clipboard in Safari and Firefox, but both browsers have gesture-based security measures in place.
The flaw has been spotted by Chrome developers, but a patch has not yet been released, therefore it is still present in the most recent desktop and mobile versions of Chrome.
Security flaw
Operating systems have a temporary storage area called the system clipboard. It can contain sensitive information like passwords, banking account numbers, and cryptocurrency wallet strings and is frequently used for copying and pasting.
Users are at risk as they may end up being the targets of malware attacks if arbitrary content is written over this temporary storage space.
Users might be lured to visit websites that have been carefully built to look like reputable bitcoin services by hackers. The website might write the threat actor's address to the clipboard when the user attempts to make a payment and copy their wallet address to the clipboard.
On some websites, the user may be given the option to add more information to the clipboard when selecting text to copy from a website typically the page URL. However, in such cases, there is no obvious notification or user input before the clipboard overflows with random text.
All online browsers that support clipboard writing, have poor and insufficient security measures, according to a blog post on the subject.
When a user selects a piece of text and presses Control+C or chooses 'Copy' from the context menu, the web page is given permission to utilize the clipboard API.
Johnson explained, "Therefore, even a seemingly innocent action like clicking a link or using the arrow keys to scroll down the page allows the website to overwrite one's system clipboard." He conducted tests on Safari and Firefox and discovered that loading a web page allowed clipboard writing permission when the down arrow key was pressed or the mouse scroll wheel was used to navigate.
Fortunately, Johnson's testing showed that websites could not misuse this authorization to read clipboard contents, as it would be problematic for user privacy.