Google Chrome Vulnerability Lets Sites Quietly Overwrite Clipboard Contents

  • A vulnerability in Chromium-based browsers allows web-pages to replace the content of the system clipboard without the user’s consent or interaction.

    The bug was discovered by developer Jeff Johnson, who detailed his findings in a blog post on August 28.

    The security expert also said the issue affects Apple Safari and Mozilla Firefox as well, but in Chromium-based browsers, the requirement for a user gesture to copy content to the clipboard was currently broken.

    “Chrome is currently the worst offender because the user gesture requirement for writing to the clipboard was accidentally broken in version 104,” Johnson remarked.

    For context, user gestures refer to the ability of a user to select a piece of text and press Control+C (or ⌘-C for macOS), for instance, or select ‘Copy’ from the context menu.

    Further, Johnson discovered that a wider set of user gestures were also affected by the bug.

    “The gestures are not strictly limited in this way. In my testing, [a number of] DOM events give a web page permission to use the clipboard API to overwrite your system clipboard.”

    These include clicking and pressing the key-down and key-up buttons, among others.

    “Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system clipboard,” Johnson warned.

    In terms of how the bug could be exploited to an attacker’s advantage, Johnson said the answer was obvious.

    “While you’re navigating a web page, [it] can without your knowledge erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste.”

    According to Johnson, Google is already aware of the vulnerability, but at the time of writing, the tech giant has not released a fix for it yet.

    The bug is hardly the first affecting browsers in recent times and comes days after Apple fixed a critical vulnerability in the Safari browser of several mobile devices.