What just happened? A browser vulnerability affecting Chrome, Firefox, and Safari was discovered following a recent Chrome software release. Google developers identified the clipboard-based attack, which allows malicious websites to overwrite a user's clipboard content when the user does nothing else but visit a compromised webpage. The vulnerability affects all Chromium-based browsers as well, but appears to be most prevalent in Chrome, where a user gesture used to copy content is currently reported as broken.
Google developer Jeff Johnson explained how the vulnerability can be triggered in several ways, all of which grant the page permissions to overwrite clipboard contents. Once granted, users can be affected by actively triggering a cut or copy action, clicking on links in the page, or even taking actions as simple as scrolling up or down on the page in question.
Johnson elaborated on the bug, pointing out that while Firefox and Safari users have to actively copy content to the clipboard using Control+C or ⌘-C, Chrome users can be affected by simply viewing a malicious page for no more than a fraction of a second.
Johnson's blog post references video examples from Šime, a content creator specializing in content geared toward web developers. Šime's demonstrations reveal just how quickly Chrome users can be affected, with the vulnerability triggered by simply toggling between active browser tabs. Regardless of how long or what type of interaction the user takes, the malicious site instantly replaces any clipboard contents with whatever the threat actor decides to deliver.
In order to be able to write to the clipboard, the website needs to be in the active tab. Quickly toggling tabs is enough. You don't have to interact with the website or look at it for more than a tenth of a second. pic.twitter.com/KzsT6UByAq— Šime (ˈshe-meh) (@simevidas) September 2, 2022
Johnson's blog provides technical details describing just how a page can obtain permission to write to the system clipboard. One method uses a now deprecated command, document.execCommand.
Another method takes advantage of the more recent navigator.clipboard.writetext API, which has the ability to write any text to the clipboard with no additional actions required. Johnson's blog includes a demonstration of how both approaches to the same vulnerability work.
While the vulnerability may not sound damaging on the surface, users should remain aware of how malicious actors can leverage the content swap to exploit unsuspecting victims. For example, a fraudulent site can replace a previously copied URL with another fraudulent URL, unknowingly leading the user to additional sites designed to capture information and compromise security.
The vulnerability also provides threat actors with the ability to replace copied cryptocurrency wallet addresses saved to the clipboard with the address of another wallet controlled by a malicious third party. Once the transaction has taken place and funds are sent to the fraudulent wallet, the victimized user typically has little to no ability to trace and reclaim their funds.
According to The Hacker News, Google is aware of the vulnerability and is expected to release a patch in the near future. Until then users should exercise caution by avoiding opening pages using clipboard-based copied content and verify the output of their copied content prior to continuing with any activities that could compromise their personal or financial security.