Google Chrome Allows Websites Unprotected Access to a User’s Clipboard, Exposing the Community to Potential Cybersecurity Threats / World of Digital Information


The Google Chrome browser unintentionally had a bug that removed the user approval requirement for write events to the clipboard from websites.

That’s a ton of online jargon for one sentence, so I’ll break it down one by one. Chrome’s latest version, 104, essentially allows websites unrestricted access to a device’s clipboard. The clipboard is basically just a mechanism by which certain platforms and sites can copy key information for you. For example, Zoom will automatically copy a room link for the user, allowing them to simply go ahead and paste it elsewhere. However, websites cannot just copy a user’s information with abandon; instead, they require a user’s approval before anything like that happens. Now, the average person would see that as a downside. After all, websites automate the ability to use the Ctrl+C key for the user. How could this facility in the activities of daily living have a disadvantage? Well, it comes down to our understanding of clipboards and how they can lead to the exposure of very sensitive information.

Essentially, access to a device’s clipboard means certain things are at risk. For starters, anything a user has copied to the clipboard can potentially be viewed by a foreign website. Although these are mostly innocuous content such as links to YouTube videos or a funny message, these may also contain sensitive content which is often copied for convenience. Examples include social security numbers, bank details, etc. Additionally, accessing a device’s clipboard makes a user either the victim or perpetrator of a phishing attack. Copying a harmful link to a clipboard means that the user can potentially be sent there, and thus harmful effects ensue.

While Chrome is the most egregious violator of clipboard cybersecurity, many argue that even Safari and Firefox aren’t much better. Many websites have some means of circumventing browser security, and a simple measure such as asking for user consent is not enough. Again, Chrome didn’t even handle that much, so maybe other browsers are a bit more secure. Although Google was alerted to the 104 shortfall, it has yet to rectify the error.

Read next: These data-stealing Chrome extensions have been downloaded over 1.4 million times


Comments are closed.