Sunday, December 3, 2023

Google Chrome Bug Lets Sites Write to Clipboard Without Asking

There was an unintended bug introduced in version 104 of Google Chrome. It has been found in the bug that there is no need for users to approve clipboard writing events when they visit websites that require this approval.

This security flaw has been identified on August 28 2022 by the security analyst, Jeff Johnson.

Google Chrome is not the only browser that provides this functionality. While Web pages can also be recorded to the system clipboard by Safari and Firefox, they are still protected by gestures in order to prevent the clipboard content from being copied.

A fix for this problem has yet to be released by the Chrome developers, but they have identified the problem. This issue has been noted in both mobile and desktop versions of the Google Chrome browsers.

Overwriting your system clipboard

It is an operating system’s default function to store temporary data in the system clipboard. Copy-pasting is often used to paste data into a document and sensitive information may be involved in some cases like:-

  • Banking account numbers
  • Cryptocurrency wallet strings
  • Passwords
  • Debit card numbers
  • Credit card numbers

It is possible for users to become victims of malicious activities if this temporary storage space is overwritten with arbitrary content using the overwrite functionality.

Using specially crafted web pages, threat actors could simulate a legitimate cryptocurrency service in an attempt to lure users to their websites. 

There is the possibility that the website could write to the clipboard the address of the threat actor when the user tries to make a payment by copying their wallet address to the clipboard.

The user may be presented with additional content when selecting text to copy from a web page on some websites. There is no way for the user to see or control what content is being copied when the clipboard fills up with arbitrary data.

Know impacted or not?

Using “webplatform(.)news”, you can determine whether or not this issue is affecting your web browser, so check that out. You can then copy the contents of your clipboard into a text editor and paste them there.

The issue does not affect all Chromium-based browsers, but it is affecting some of them. This “StopTheMadness” extension can be used by users who are extremely concerned about this problem.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles