Browsers restrict webpages from accessing various forms of user data, and the user retains their right to share information with a website. However, a recent discovery reveals that Google Chrome has a security flaw that allows websites to change data contained in the program’s clipboard. That is done without interacting with the user or getting user’s approval.
The glitch was noticed in Chrome 104 after a user’s authorization protocol was broken, whose purpose was to enable the user to copy data on the clipboard. The flaw exists because the browser’s security protocols are inadequate to prevent websites from altering data in Chrome’s clipboard.
When a user views a specially built webpage, the content currently stored in the system clipboard may be changed. That may be done to suit the range defined on the page that the user is watching due to the vulnerability.
Several developers say the same problem affects other web browsers such as Firefox and Safari. Chrome’s issue may be abused without the user taking any action. However, Firefox and Safari require some type of activity to exploit the vulnerability.
How Does the Vulnerability Affect User Data Security?
An online page is granted permission to replace the contents of the system clipboard when the user executes a command. The cut or copy command, clicking on a link, or simply scrolling down or up on a page grants the website the right to alter data.
The worrying trend is that various websites have been expressly designed to alter user data without regard for the user’s commands.
Various allegations have been made concerning Chrome’s vulnerability, and a developer verified this concern using a sample webpage. The issue is still persistent on the most recent version of Chrome, but Firefox has been able to seal its software’s loopholes.
While browsing a website, the contents of a system’s clipboard, which may contain useful information, can be overwritten by the website. That happens without the user’s awareness, and the content is replaced with anything the website decides to put.
That is a great concern because it puts a user in unnecessary danger of having vital information changed, and the destination of the altered data remains unknown.
Why Target Google Chrome’s Clipboard Contents?
Data is the diamond of the information age and those who possess a significant advantage over their competitors. For example, in an attacking setup by cyber terrorists, who are major beneficiaries of information, they could entice a victim to visit a malicious landing page.
The hackers would then use various phishing algorithms to obtain data from the user, ranging from medical records to financial statements. Afterward, the adversary would replace the target’s previously copied cryptocurrency wallet address or financial details with one under their control, resulting in unapproved fund transfers to the hacker’s account.
Attacks targeted at stealing bitcoin transactions from a victim have been observed to target the clipboard material transferred to the victim’s clipboard. Malware is routinely used in these attacks, and one of its functions is to replace the address of a crypto wallet in the clipboard with the address of an attacker-controlled wallet.
Fortunately, before a webpage may access the clipboard contents using arbitrary motions, it must first be granted the authority to do so. It is referred to as the clipboard-read permission. Google is aware of its system’s gaps and is working tirelessly to restore adequate security features to its browser.