The current, live version of Google Chrome – version 104 – saw the introduction of a bug that could put your sensitive data at risk.
Normally a write event to the clipboard has to be approved by a user, but the bug was found by security expert Jeff Johnson (opens in new tab)appeared to have removed this requirement.
Many of us use our clipboard dozens or hundreds of times a day to copy and paste information from one location to another, and some of this information can include sensitive information such as phone numbers, addresses, passwords and login details, and even payment information.
Chrome clipboard bug
Johnson fears that scams based on this flaw could be used to trick users into copying their wallet address to the system clipboard on fake cryptocurrency sites, which could pose a risk to an entire digital wallet.
He warns that Google’s web browser isn’t the only one to use such a system; the same source states that Safari and Firefox also “allow web pages to write to the system’s clipboard”, but they have gesture-based protections to provide an element of security.
Johnson summarizes the lack of adequate safeguards against protecting system clipboards in all applicable web browsers.
The most commonly used user gesture is Ctrl+C (or Cmd+C for Mac users), but he found that simply pressing the down arrow to browse a website was enough to allow sites to use the computer’s clipboard .
Conveniently, there are sites to check if you’ve been affected. One such site is webplatform.news (opens in new tab), which may be added to your clipboard when you visit. All you have to do is visit the site and paste everything on your clipboard into an empty space, like a new Word document. If you see the following, the browser you are using is putting your security at risk:
“Hi, this message is on your clipboard because you visited the Web Platform News website in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information on this issue, see https://github.com/w3c/clipboard-apis/issues/182.”
Google’s team of Chrome developers is aware of the issue, but no solution has yet been found.
Through beeping computer (opens in new tab)