As much as Google Chrome 104 fixes some serious security issues, it also appears to have introduced at least one new one. It’s a bug so serious that it could compromise your device’s clipboard, and expose you to some kind of wrongdoing in the process.
Normally the user has to initiate a clipboard event. However, Chrome 104 has removed this requirement, according to security expert Jeff Johnson. That means webpages could start adding stuff to your clipboard without you even being aware of that fact.
Johnson even demonstrates the issue on his blog post, pointing users to the site Web Platform News. Clicking that link immediately overwrites anything you have stored in your clipboard, and replaces it with the following text:
“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”
You don’t have to do anything on the page, and simply opening the link allows the site to override your current clipboard content. Johnson notes that this issue showcases how insecure system clipboards are, and both Safari and Firefox can let web pages override your clipboard with a gesture.
Normally this gesture is the classic Ctrl/Cmd + C, but Johnson discovered that even something as simple as clicking or scrolling down the page was enough to give sites permission to add stuff to your clipboard. The fundamental problem is, as Johnson puts it, is that “their design is equating user gestures with user consent.” Those are not the same thing.
It just so happens those meager protections are broken in Chrome 104, so visiting a page is enough to take advantage of the bug.
The good news is that the issue doesn't appear to let websites read your clipboard, so anything you left in there should be safe. Which is useful because your clipboard could have any number of sensitive details, including passwords or payment information.
However, the fact a website could add stuff to your clipboard, without you knowing, still puts you at risk. Particularly dodgy websites would have to get creative, but this bug could be exploited to take you to various fake sites to steal information. TechRadar Pro notes that this particular bug could be exploited to dupe users into entering a cryptocurrency wallet address into a fake site — potentially putting the whole wallet at risk.
Chrome developers have already acknowledged the severity of this problem, and are likely working on a fix. But that fix is not ready yet, so even updating to the newly-launched Chrome 105 may not be enough to protect your clipboard.
Sadly this is not something you can really do anything about, aside from avoiding Chrome and Chromium browsers altogether, so just make sure that you’re vigilant about what you’re copying and where it goes.
