Chromium browsers can write to the system clipboard without your permission

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge.

Clipboard

In layman’s terms, the clipboard is where the data lives while you copy and paste, or cut and paste for that matter. Copying and pasting is such an essential part of our daily computing that most of us just do it automatically. And it can lead to undesirable results if something outside of our control decides to interfere. For example, if you used the “cut” action on a certain piece of text with the intention to paste it somewhere else, it can be a nasty surprise if something completely different gets pasted, and due to using the cut rather than copy, you may have lost the original.

Gestures

Firefox and Safari do require a user gesture before websites can copy content to the device’s clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl+C or other means to copy it to the clipboard. Chrome and other Chromium-based browsers currently have no such restriction.

Demonstration

If you’d like to see this demonstrated or if you want to check if you are somehow protected against this happening, you can visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards. You can check the content by “pasting” to an empty text editor like Notepad. Should you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”

Windows clipboard manager

For Windows 10 and 11 users there is a way to retrieve overwritten items from your clipboard. These Windows versions come with a clipboard manager, although it does need to be turned on first. This can be done in the Settings menu on your computer. Under System, you’ll find a section called Clipboard. Toggle the switch to On behind Clipboard history. Windows will now start keeping track of your clipboard content. To review the history up to 25 items you can use the Win+V keys.

Not new

At Malwarebytes Labs we wrote about clipboard poisoning attacks on the Mac back in 2016. The take-away from that article in the current context is that by pasting in a sensitive place, like the Terminal on a Mac, or a Command Prompt on a Windows machine, text can become a command that gets executed.

Broken

In his article about the clipboard issue, developer Jeff Johnson states that the user gesture requirement for writing to the clipboard was accidentally broken in version 104. And although the vulnerability has been flagged, fixing it may be delayed because it breaks other functionality. Apparently, adding user gesture requirement for readText and writeText APIs breaks NTP doodle sharing. NTP Google doodles are animations that appear in some cases in Chrome when a new tab is opened. Personally, I wouldn’t miss them at all.

Mitigation

While we wait for a fix, threat actors may come up with ways to abuse this temporary vulnerability. Here are some things you can do to stay on the safe side:

  • Do not open webpages between any cut/copy and paste actions.
  • Check the content of your clipboard before you past into any sensitive areas. You can use any clipboard manager or just paste into a text field to see what is momentarily there. For those of you doing financial transactions this is always worth considering, since there is malware out there that can change bitcoin addresses and bank account numbers on your clipboard.

Stay safe, everyone!

https://blog.malwarebytes.com/feed/