Websites can currently access the clipboard in any way in current Chromium-based web browsers. This enables attacks on users, for example.
Chromium-based web browsers such as Microsoft’s Edge or Google’s Chrome enable websites in their current version to access the system clipboard without user interaction. This allows websites to put their own data on the clipboard, which careless users can later copy into forms, for example. This becomes a risk when it comes to cryptocurrency transactions or similar data.
The cause is a deactivated, otherwise necessary user interaction: A Microsoft employee encountered the problem that a test when opening a new tab in the function NewTabPageDoodleShareDialogFocusTest.All failed. However, without a necessary prior user action such as pressing the key combination Ctrl + C to access the clipboard, everything worked as desired. Without further ado, the mandatory user requirement had to give way to the functioning test.
Clipboard accessible as a Frickel workaround
In the bug report, the developer explains that this isn’t a good solution and that it needs to be revised: “We’re disabling the user interaction requirement for read/writeText for the time being, but we should reconsider.” An ongoing dispute has arisen in the bug tracker about how important the fix is ​​for this unexpected and security-critical behavior. After all, the developers have recognized a certain urgency.
Other web browsers such as Safari or Firefox, however, force a previous user action to access the clipboard. Now that the current incorrect behavior of the Chromium-based web browsers with regard to the clipboard is known, a fix should not be long in coming.
However, until web browsers such as Chrome or Edge have been secured in this regard, users should carefully check whether the data is really correct before pasting copied content into forms or documents. If a visited website copies an incorrect wallet number or bitcoin address to the clipboard, crypto money could otherwise flow irretrievably to the wrong recipient – ​​this is what the malware Evrial did by observing and manipulating the clipboard.
