A "major" security issue in the Google Chrome web browser, Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content with out requiring any user consent or interplay by genuinely visiting them.
The clipboard poisoning attack is stated to were by accident introduced in Chrome version 104, according to developer Jeff Johnson.Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content
While the problem exists in Apple Safari and Mozilla Firefox as well, what makes the difficulty severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken.
User gestures include selecting a bit of textual content and pressing Control+C (or ⌘-C for macOS) or selecting "Copy" from the context menu.
"Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page offers the website permission to overwrite your system clipboard," Johnson noted.
The ability to substitute clipboard data poses security implications. In a hypothetical assault scenario, an adversary ought to lure a sufferer to go to a rogue touchdown web page and rewrite the address of a cryptocurrency wallet formerly copied by the target with one under their control, resulting in unauthorized fund transfers.
Alternatively, threat actors could overwrite the clipboard with a link to specially crafted websites, main victims to download risky software.
"While you are navigating an internet page, the page can without your understanding erase the current contents of your device clipboard, which may also have been valuable to you, and update them with anything the page wants, which may be dangerous to you the next time you paste," Johnson explained.
Google is already aware of the difficulty and a patch is expected to be released soon, given the seriousness of the flaw and the likelihood of abuse by malicious actors.
In the interim, users are advised to chorus from opening internet pages between any cut/reproduction and paste movements and affirm their clipboard earlier than carrying out sensitive operations at the web, such as financial transactions.
The development comes as Google released a new version of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux with fixes for 24 shortcomings, 10 of which relate to use-after-free bugs in Network Service, WebSQL, WebSQL, PhoneHub, among others.
Found this article interesting? Follow Linux Hint BD on Facebook, Twitter and LinkedIn to read more exclusive content we post.