Vulnerability in Chromium-based web browsers
In current Chromium-based web browsers such as Microsoft Edge or Google Chrome, websites can freely access the clipboard.
Numerous web browsers are based on the code base of the Chromium open source project, including Microsoft Edge and Google Chrome. In their current version, they enable websites to access their system clipboard without user interaction. In this way, websites can place their own data on the visitor’s clipboard, which they later carelessly copy into forms, for example. This can become a risk if the inserted data is an incorrect wallet number or bitcoin address. Then, for example, crypto money could flow irretrievably to the wrong recipient.
Reason of the vulnerability in Chromium based browsers
A Microsoft employee encountered an issue where a test failed when opening a new tab in the NewTabPageDoodleShareDialogFocusTest.All function. However, without a necessary prior user action such as pressing Ctrl + C to access the clipboard, everything worked as intended. The mandatory user requirement therefore had to give way to the success of the test. The lack of this otherwise required user interaction is the cause of the security gap in current Chromium-based browsers.
In its bug report dated June 7, 2022, the developer wrote: ” After enabling the custom format restriction for all async clipboard methods, we found NewTabPageDoodleShareDialogFocusTest.All test that relies on readText to be called without any user gesture. We are disabling the user gesture requirement for read/writeText for now, but we should revisit this.” That there is a need for action seems to have been known for some time. Now that the misconduct has become public knowledge, a fix should hopefully not be long in coming.
Recommendations
Until Chromium-based web browsers are (again) secured accordingly, users should carefully check whether the data is really correct before pasting copied content into forms or documents. Alternatively, until there is a corresponding fix, other non-Chromium-based web browsers such as Firefox or Safari can of course also be used.