Google Chrome issue allows overwriting the clipboard content

A security issue in the Google Chrome browser could allow malicious web pages to automatically overwrite clipboard content.

A vulnerability in the Google Chrome browser, as well as Chromium-based browsers, could allow malicious web pages to automatically overwrite the clipboard content without any user interaction and consent simply visiting them.

According to a blog post published by the developed Jeff Johnson is issue was introduced in version 104.

“This blog post isn’t just about Google Chrome, it’s also about Safari and Firefox. Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104.” reads the post. “A public demonstration of the brokenness has been posted on Web Platform News. If you simply visit the demonstration page in Google Chrome or a Chromium browser, then your system clipboard will be overwritten with the text below. (It’s all plain text in your clipboard, but I’ve added a hyperlink for your convenience.)”

The developer explained that in Chrome the requirement for a user gesture to copy (selecting a piece of text and pressing Control+C (or ⌘-C for macOS) or selecting “Copy” from the context menu) the content to the clipboard is currently broken.

The expert said that gestures are not limited to the above actions, the following DOM events give a web page permission to use the clipboard API to overwrite your system clipboard:

• click
• copy
• cut
• focusout
• keydown
• keyup
• mousedown
• mouseup
• pointerdown (desktop only)
• pointerup (desktop only)
• selectstart

This means that clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system clipboard. This issue affects every web browser, including Safari (desktop and mobile) and Firefox.

The capability to overwrite the content of a clipboard allows attackers to potentially conduct multiple malicious activities. An attacker could exploit the issue to replace the wallet address while the victim is performing a transaction. In order to exploit the flaw, threat actors could trick victims into visiting a specially crafted webpage.

“The potential for maliciousness should be obvious. While you’re navigating a web page, the page can without your knowledge erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste.” Johnson added.

Google published an advisory on this issue and is working to fix it.

“After enabling the custom format restriction for all async clipboard methods, we found NewTabPageDoodleShareDialogFocusTest.All test that relies on readText to be called without any user gesture. We are disabling the user gesture requirement for read/writeText for now, but we should revisit this.” reads Google’s advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

[adrotate banner=”5″]

[adrotate banner=”13″]