Security News > 2022 > August > Google Chrome bug lets sites write to clipboard without asking

Google Chrome bug lets sites write to clipboard without asking
2022-08-31 17:13

Chrome version 104 accidentally introduced a bug that removes the user requirement to approve clipboard writing events from websites they visit.

When the user tries to make a payment and copies the wallet address to the clipboard, the website can write to the clipboard the threat actor's address.

On some websites, when the user selects text to copy from a web page, additional content is appended to the clipboard.

In this case the clipboard fills up with arbitrary content without any visible indication or user interaction.

Johnson tested on Safari and Firefox and found that pressing the down arrow key or using his mouse scroll wheel to navigate on a site gave clipboard writing permission to the loaded web page.

"While you're navigating a web page, the page can, without your knowledge, erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste. Why did web browser vendors ever allow this?" - Jeff Johnson.


News URL

https://www.bleepingcomputer.com/news/security/google-chrome-bug-lets-sites-write-to-clipboard-without-asking/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 253 4216 4506 727 9702