What you need to know about Bug tampering clipboard in Chrome
A defect in Chrome version 104 removed the need for users to consent to clipboard writing on the websites they visit. This feature is available outside of Google Chrome.
The Cybersecurity flaw has been noticed in the Google Chrome web browser, which could allow malicious web pages to automatically replace clipboard content by accessing them without requesting user approval or involvement.
In the developer's words, Jeff Johnson accidentally added the clipboard poisoning attack to Chrome version 104. Just as the Chrome Web Browser faces the same issue as Apple Safari and Mozilla Firefox, it is highly severe because Chrome currently lacks the power to copy the content to the clipboard without user action.
The user can also choose "Copy" from the context menu or a text selection and press Control+C (or -C for macOS).
Johnson explained that a motion as simple as clicking on a link or pushing the arrow key to scroll down and the screen grants the website permission to overwrite your system clipboard.
What's the big deal?
Security concerns also were raised from the ability to substitute clipboard data. In a hypothetical attack scenario, an attacker could entice a victim to visit a malicious homepage and replace the address of a cryptocurrency wallet that the user had previously duplicated with one under their control, resulting in illegal fund transfers. As an alternative, cyber attackers might replace the clipboard with a link to a website that has been specially created, tricking users into downloading malicious software.
In Johnson's words, a web page can discreetly change the information of your system clipboard, which might benefit you as you are browsing and replace it with anything it likes. Such activities are dangerous to users on the web, and when next, they paste from their clipboard.
Despite the seriousness of the problem and the likely misuse by malicious actors, Google is already aware of the issue, and a solution is planned to be provided soon. In the meantime, users are asked to wait between any cut/copy and paste operations before opening web pages and to check their clipboard before performing sensitive web operations, like financial transactions.
The change corresponds with Google's recent release of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux, which fixes 24 issues, 10 of which are use-after-free flaws in Network Service, WebSQL, PhoneHub, and other services.
In a blog post, Developer John added that users who are highly concerned about this issue could use his "StopTheMadness" extension; however, he cautions that in some situations, they will not be protected entirely from random clipboard overwrites.