Pages

Google Chrome Allows Websites Unprotected Access To A User’s Clipboard, Setting The Community Up For Potential Cybersecurity Threats

Google Chrome browser unintentionally carried with it a bug that removed the requirement of user approval for clipboard writing events from websites.

That’s a ton of online jargon for one sentence, so I’ll break it down one after one. Chrome’s latest version, 104, essentially allows websites unrestricted access to a device’s clipboard. The clipboard is essentially just a mechanism via which certain platforms and sites can copy key information for you. For example, Zoom will automatically copy a room’s link for the user, allowing them to simply go ahead and paste it elsewhere. However, websites can’t just go ahead and copy information for a user with abandon; rather, they require approval from a user before anything of the sort happens. Now, the average individual would see this as a downside. After all, websites are automating the ability to use the Ctrl+C key for the user. How could this ease in daily life activities possibly have a downside? Well, that boils down to our understanding of clipboards, and how they can lead to very sensitive information being exposed.

Essentially, access to a device’s clipboard means that a few things are at risk. For starters, anything that a user has copied onto the clipboard can potentially be accessed by a foreign website. While this will mostly involve innocuous content such as links to YouTube videos or a funny message, these can also contain sensitive content that is often copied for ease. Examples include social security numbers, bank details, and so on. Furthermore, access to a device’s clipboard sets a user up as either the victim or the perpetrator of a phishing attack. Copying a harmful link onto a clipboard means that the user can potentially be sent there, and thus harmful effects follow.

While Chrome is the most egregious offender of clipboard cybersecurity, many argue that even the likes of Safari and Firefox aren’t much better. Many websites have certain ways of getting past browser security, and a simple measure such as asking for user consent doesn’t cut it. Then again, Chrome didn’t even manage that much, so maybe other browsers are just a little bit more secure. While Google has been alerted to 104’s deficit, it has yet to rectify the error.


Read next: These Data Stealing Chrome Extensions Were Downloaded Over 1.4 Million Times

No comments: