Websites may write to the clipboard in Chrome without user permission
If you run Google Chrome or another Chromium-based web browser, then websites may push anything they want to the operating system's clipboard without user permission or any user action.
Computer users may use the clipboard of the system for temporary storage: a password for entering it on a website, a file for moving it to another location on the system, or a bit of text found on a site for pasting in a Word document or a search engine.
Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.
Visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards.
If you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
All Chromium-based browsers that are up to date are affected by this. Firefox and Safari do require a user gesture before websites may copy content to the device's clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl-C or other means to copy it to the clipboard.
A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.
Adding user gesture requirement for readText and writeText APIs
breaks NTP doodle sharing. We are relaxing this check for now, but
we should fix this for sites to not rely on these APIs to be called
without a user gesture.
See NewTabPageDoodleShareDialogFocusTest.All test for more details.
NTP refers to the New Tab Page of the browser, doodles are Google Doodles, variations of the Google logo that highlight events or people.
On this GitHub page, the assumption is made that the user gesture requirement could break remote clipboard synchronization in browsers.
Now You: is your browser vulnerable?Advertisement