If you’re using a Chromium-based browser, it’s entirely possible for a website to drag whatever it wants to your clipboard.
This vulnerability, which appeared in version 104, allows malicious actors to harm users.
Just open a web page
When you copy or cut text, it is stored in your clipboard. Although some operating systems offer the possibility of keeping a history of it, the clipboard is often limited to a single content.
Inserting a new clipboard item is restricted in browsers such as Firefox and Safari. The latter require a gesture from the user to copy text, namely selecting the content and using a command to copy via a context menu or with a shortcut like Ctrl+C.
Today, Chromium-based browsers, such as Chrome, no longer have this restriction. If you want to experience it, just visit the Webplatform News site: after opening the web page, your clipboard will contain a message informing you that your browser can alter your clipboard without your consent. To verify this, a “paste” in a text editor is sufficient. For those who have enabled clipboard history on Windows 10 and 11, it is possible to use the shortcut Windows+V.
A vulnerability that is not without danger
The risks of this vulnerability are first of all practical: there is nothing more annoying than copying a text and losing it by innocently opening a web page. But the risk can be much more serious. Malwerbytes Labs indeed points out that a text can become a command in a Terminal. It’s also possible that a malicious actor is trying to insert banking credentials or a bitcoin address into your clipboard without your knowledge.
If you want to continue using your favorite browser even though it is vulnerable, it is recommended to be careful – for example by using a text editor before copying any sensitive information. Although reported, this issue should not be resolved immediately, since fixing it would create conflicts with other features, such as (among others) Google Doodles animations.
Source : Malwarebytes Labs
7