Security News > 2022 > August > Google Chrome bug lets sites write to clipboard without asking
![Google Chrome bug lets sites write to clipboard without asking](/static/build/img/news/google-chrome-bug-lets-sites-write-to-clipboard-without-asking-medium.jpg)
Chrome version 104 accidentally introduced a bug that removes the user requirement to approve clipboard writing events from websites they visit.
When the user tries to make a payment and copies the wallet address to the clipboard, the website can write to the clipboard the threat actor's address.
On some websites, when the user selects text to copy from a web page, additional content is appended to the clipboard.
In this case the clipboard fills up with arbitrary content without any visible indication or user interaction.
Johnson tested on Safari and Firefox and found that pressing the down arrow key or using his mouse scroll wheel to navigate on a site gave clipboard writing permission to the loaded web page.
"While you're navigating a web page, the page can, without your knowledge, erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste. Why did web browser vendors ever allow this?" - Jeff Johnson.
News URL
Related news
- Google Chrome emergency update fixes 6th zero-day exploited in 2024 (source)
- Google Chrome change that weakens ad blockers begins June 3rd (source)
- Google Chrome reduced cookie requests to improve performance (source)
- New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems (source)
- Fake Google Chrome errors trick you into running malicious PowerShell scripts (source)
- Google Chrome to let Isolated Web App access sensitive USB devices (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- Google patches third exploited Chrome zero-day in a week (source)
- Google fixes third actively exploited Chrome zero-day in a week (source)