Google Chrome Vulnerability Allows Sites to Overwrite Clipboard Contents Silently


A vulnerability in Chromium-based browsers allows web pages to overwrite system clipboard content without user consent or interaction.

The bug was discovered by developer Jeff Johnson, who detailed his findings in a blog post on August 28.

The security expert also said the issue also affects Apple Safari and Mozilla Firefox, but in Chromium-based browsers the requirement for a user gesture to copy content to the clipboard is currently broken. .

“Chrome is currently the worst offender because the user gesture requirement to write to the clipboard was accidentally broken in version 104,” Johnson remarked.

For context, user gestures refer to a user’s ability to select a piece of text and press Ctrl+C (or ⌘-C for macOS), for example, or select “Copy” in the context menu.

Additionally, Johnson discovered that a broader set of user gestures were also affected by the bug.

“Gestures are not strictly limited in this way. In my tests, [a number of] DOM events allow a webpage to use the clipboard API to overwrite your system’s clipboard.”

These include clicking and pressing key-down and key-up buttons, among others.

“Therefore, something as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system’s clipboard,” Johnson warned.

As for how the bug could be exploited to an attacker’s advantage, Johnson said the answer was obvious.

“While browsing a web page, [it] can unknowingly erase the current contents of your system’s clipboard, which may have been valuable to you, and replace it with whatever the page wants, which could be dangerous for you the next time you paste .”

According to Johnson, Google is already aware of the vulnerability, but at the time of writing the tech giant has yet to release a patch.

The bug is not the first to affect browsers in recent times and comes days after Apple patched a critical vulnerability in the Safari browser on several mobile devices.


Comments are closed.