Websites may write to the clipboard in Chromium-based web browsers without user permission

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,426
If you run Google Chrome or another Chromium-based web browser, then websites may push anything they want to the operating system's clipboard without user permission or any user action.

Computer users may use the clipboard of the system for temporary storage: a password for entering it on a website, a file for moving it to another location on the system, or a bit of text found on a site for pasting in a Word document or a search engine.

Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.

Visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards.

If you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see Interoperability issue: `navigator.clipboard.write()` and `navigator.clipboard.writeText()` user gesture requirement · Issue #182 · w3c/clipboard-apis.

All Chromium-based browsers that are up to date are affected by this. Firefox and Safari do require a user gesture before websites may copy content to the device's clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl-C or other means to copy it to the clipboard.

A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.
Adding user gesture requirement for readText and writeText APIs
breaks NTP doodle sharing. We are relaxing this check for now, but
we should fix this for sites to not rely on these APIs to be called
without a user gesture.
See NewTabPageDoodleShareDialogFocusTest.All test for more details.

NTP refers to the New Tab Page of the browser, doodles are Google Doodles, variations of the Google logo that highlight events or people.

On this GitHub page, the assumption is made that the user gesture requirement could break remote clipboard synchronization in browsers.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,713
@ticklemefeet @Azure I don't think sandboxing has anything to do with it. The problem is with Chromium's code.
Yes. Which is why I was doubtful if sandboxing could help in this case.

The most I was able to do with sandboxing was preventing words to be “pasted” into a sandboxed browser but that didn’t stopped the website from “copying” into the clipboard.
 
F

ForgottenSeer 69673

Yup I also tried Crome Edge in Sandboxie Plus and it was not stopped. Not sure either what if any tweak to Appguard would work.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top