Sunday, May 19, 2024

Google Chrome Bug Lets Sites Write to Clipboard Without Asking

There was an unintended bug introduced in version 104 of Google Chrome. It has been found in the bug that there is no need for users to approve clipboard writing events when they visit websites that require this approval.

This security flaw has been identified on August 28 2022 by the security analyst, Jeff Johnson.

Google Chrome is not the only browser that provides this functionality. While Web pages can also be recorded to the system clipboard by Safari and Firefox, they are still protected by gestures in order to prevent the clipboard content from being copied.

A fix for this problem has yet to be released by the Chrome developers, but they have identified the problem. This issue has been noted in both mobile and desktop versions of the Google Chrome browsers.

Overwriting your system clipboard

It is an operating system’s default function to store temporary data in the system clipboard. Copy-pasting is often used to paste data into a document and sensitive information may be involved in some cases like:-

  • Banking account numbers
  • Cryptocurrency wallet strings
  • Passwords
  • Debit card numbers
  • Credit card numbers

It is possible for users to become victims of malicious activities if this temporary storage space is overwritten with arbitrary content using the overwrite functionality.

Using specially crafted web pages, threat actors could simulate a legitimate cryptocurrency service in an attempt to lure users to their websites. 

There is the possibility that the website could write to the clipboard the address of the threat actor when the user tries to make a payment by copying their wallet address to the clipboard.

The user may be presented with additional content when selecting text to copy from a web page on some websites. There is no way for the user to see or control what content is being copied when the clipboard fills up with arbitrary data.

Know impacted or not?

Using “webplatform(.)news”, you can determine whether or not this issue is affecting your web browser, so check that out. You can then copy the contents of your clipboard into a text editor and paste them there.

The issue does not affect all Chromium-based browsers, but it is affecting some of them. This “StopTheMadness” extension can be used by users who are extremely concerned about this problem.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles