Security News > 2022 > August > Google Chrome bug lets sites write to clipboard without asking
Chrome version 104 accidentally introduced a bug that removes the user requirement to approve clipboard writing events from websites they visit.
When the user tries to make a payment and copies the wallet address to the clipboard, the website can write to the clipboard the threat actor's address.
On some websites, when the user selects text to copy from a web page, additional content is appended to the clipboard.
In this case the clipboard fills up with arbitrary content without any visible indication or user interaction.
Johnson tested on Safari and Firefox and found that pressing the down arrow key or using his mouse scroll wheel to navigate on a site gave clipboard writing permission to the loaded web page.
"While you're navigating a web page, the page can, without your knowledge, erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste. Why did web browser vendors ever allow this?" - Jeff Johnson.
News URL
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)