Websites may write to the clipboard in Chrome without user permission
If you run Google Chrome or another Chromium-based web browser, then websites may push anything they want to the operating system's clipboard without user permission or any user action.
Computer users may use the clipboard of the system for temporary storage: a password for entering it on a website, a file for moving it to another location on the system, or a bit of text found on a site for pasting in a Word document or a search engine.
Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.
Visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards.
If you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
All Chromium-based browsers that are up to date are affected by this. Firefox and Safari do require a user gesture before websites may copy content to the device's clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl-C or other means to copy it to the clipboard.
A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.
Adding user gesture requirement for readText and writeText APIs
breaks NTP doodle sharing. We are relaxing this check for now, but
we should fix this for sites to not rely on these APIs to be called
without a user gesture.
See NewTabPageDoodleShareDialogFocusTest.All test for more details.
NTP refers to the New Tab Page of the browser, doodles are Google Doodles, variations of the Google logo that highlight events or people.
On this GitHub page, the assumption is made that the user gesture requirement could break remote clipboard synchronization in browsers.
Now You: is your browser vulnerable?
Normally if the site is trustworthy, you can get away with copying & pasting into the terminal. But if other sites loaded can paste at any time, even that is not ok.
We did sort of know this, though. Was it Ka Ping Yee who pointed out that the clipboard is not a secure interaction model in the early 2000s?
Brave: No.
Paste below url into addybar,
brave://settings/content?search=clipboard
Then hunt for the clipboard setting. It is hidden from easy view and intentionally made very difficult to find. But once found, disable the clipboard access setting; then sites will no longer be able to access this highly private data holding resource. While there, disable access to most all private resources such as USB, File, Camera, Mic, et al access. Chromium et all have a similar setting located via the same url scheme.
errr, Brave: YES.
Originally had Javascript disabled for the above test. I just enabled it and did a hard page refresh – and the clipboard was written to by a remote site. PS: The above “?search=clipboard” guidance is solid as sites cannot read your clipboard contents (in theory annot read; it is a google browser and who knows what that corrupt company does behind the scenes).
O&O shutup contains a section “Activity History and Clipboard”.
If everything is switched to green, is then the Clipboard risk gone? (Then also in Settings-System-Clipboard is switched off and unaccesable).
Correction of sentences:
> Google responded, “Session hijacking risk measures are the fault of the end user, and the browser developer is not responsible for them. The company responded, “We will not fix it.
Google responded, “Session hijacking risk measures are the fault of the end user, and the browser developer is not responsible for them. We will not fix it”.
Clipboard (computing) – Wikipedia
https://en.wikipedia.org/wiki/Clipboard_(computing)
The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer’s RAM.
The clipboard provides an application programming interface by which programs can specify cut, copy and paste operations. It is left to the program to define methods for the user to command these operations, which may include keybindings and menu selections. When an element is copied or cut, the clipboard must store enough information to enable a sensible result no matter where the element is pasted.
Clipboard: Computer security – Wikipedia
https://en.wikipedia.org/wiki/Clipboard_(computing)#Computer_security
Clipboard hijacking is an exploit in which a person’s clipboard’s content is replaced by malicious data, such as a link to a malicious web site.
JavaScript can still be used to modify clipboard content via an attack dubbed ‘paste jacking’
There have been exploits where web pages grab clipboard data.
Clipboard: APIs JavaScript – Wikipedia
https://en.wikipedia.org/wiki/Clipboard_(computing)#JavaScript
In JavaScript aren’t supported by every browser since altering the clipboard of a user can represent a security issue.
Chrome allows websites to write to the clipboard without the user’s permission | Hacker News
https://news.ycombinator.com/item?id=32614037
Web Platform News
https://webplatform.news/
Issue #182 · w3c/clipboard-apis · GitHub
https://github.com/w3c/clipboard-apis/issues/182
Naleksuh commented, “This has been a problem for some time. Because of this problem, JavaScript should not be enabled on random websites.”, but This comment was marked as off-topic.
Apparently, this is related to the following issue
Your browser stores passwords and sensitive data in clear text in memory – gHacks Tech News
https://www.ghacks.net/2022/06/12/your-browser-stores-passwords-and-sensitive-data-in-clear-text-in-memory/
To summarize:
Google Chrome (and the Chromium family of web browsers and Vivaldi Mail) deploys “all of your login information decrypted into plain text” and “all of your unique, sensitive data” such as session cookies even if a Chrome process with only a new tab open, in memory at all times until the browser is closed.
Security researchers pointed out the session hijacking vulnerability to Google, but Google responded, “Session hijacking risk measures are the fault of the end user, and the browser developer is not responsible for them. The company responded, “We will not fix it.
Correction of sentences:
> Google responded, “Session hijacking risk measures are the fault of the end user, and the browser developer is not responsible for them. The company responded, “We will not fix it.
Google responded, “Session hijacking risk measures are the fault of the end user, and the browser developer is not responsible for them. We will not fix it”.
Vivaldi here, and it’s vulnerable.
Scary. That being said, anyone who has been paying attention knows by now that the eventual goal with browsers is to give websites 100% complete control over the user’s device while they are on said website. This will be done to protect the interests of big companies; detecting and thwarting ad blockers, preventing the user saving media from the web to their computer, etc etc. So at the end of the day, it’s just not very surprising that sites can silently mess with my clipboard.
2 questions:
1. Why does a custom Google logo require clipboard access to begin with…?, and
2. Why didn’t Google fix that requirement instead of breaking clipboard security for 95% of the browsers in use world-wide?
Write to Google spokeperson Iron Heart.
Vulnerable on chrome on android, but it showed me a toast that said something was copied to the clipboard when it happened
That’s a new Android 13 feature, IIRC. Quite useful.
Tested in Floorp = No
https://floorp.ablaze.one/download/
Clarification request: is the website’s “access” to the clipboard to READ existing content as well as to WRITE new content to the clipboard?
What are specific risks to privacy & security if the website’s access ONLY allows it to write to the clipboard (for example can a website introduce malware via the clipboard, which is installed or activated if the user clicks paste by accident)? i assume the user, by copying to the clipboard, overwrites any content the website “wrote” to the clipboard — is that correct?
HT:
I’m no expert on Clipboard, but I’ve seen on my computer references to something like “X of 24” items on Clipboard. That implies the max. # of entries is 24. The stack keeps getting pushed down each time a new item is copied, and if a 25th item is copied I guess it would drop the 1st item, and the 25th item would become the new 24th, and the 2nd becomes the new 1st. Somebody correct me if this isn’t the way it works.
And as I said in a previous post, this seems like a lousy way of trying to steal info from somebody’s computer if reading capability is also involved.. This Clipboard writing isn’t a good thing to do, but I doubt anybody will be harmed by it.
I think you’re correct. Other than being a bit annoying (e.g. suppose I’d copied an TOTP code in order to paste it and it gets overwritten), I’m not sure what the problem might be with this write-only behaviour.
That website wasn’t able to put anything on the clipboard with Pale Moon running on antiX GNU/Linux. I assume that Pale Moon is therefore immune by default.
The same with the Basilisk browser – the webplatform.news website did not place anything on the clipboard.
The webplatform.news website was able to place its message in the clipboard with the Brave browser. But it was not able to with the noscript extension enabled, without specifically allowing the webplatform.news js to run unhindered. So I would assume that noscript in default mode will stop this behavior on chromium-based browsers. Might be worthwhile for other users to check it on other chromium-based browsers running noscript.
It also was not able to load anything into the clipboard with the links2 command line browser.
It was not able to load anything into the clipboard with the luakit browser, which is a WebKit browser for GNU/Linux.
It appears to me that this is a problem with the highly exploitable chromium js engine, V8.
@Andy Prough
> highly exploitable chromium js engine, V8
Highly exploitable, as opposed to what? SpiderMonkey? Don’t make me laugh. Firefox already has partial support for this as well and is just not yet done implementing the same thing, according to their very own table.
Due to the record breaking high number of zero day exploits of Chrome/chromium the past few years, it appears that V8 is highly exploitable compared to pretty much everything.
@Andy Prough
Is anything else used as much, I mean even close? That it is the sole target of hackers seeking to exploit browsers does not mean it is insecure in comparison, when competitor browsers are seldom if ever tested for weaknesses AT ALL. You are putting people at risk with dangerous misinformation that fails to take into account this large gap (of usage, and interest).
Yeah and the browser may up do a lot of stuff without user permission or acknowledge…
oh what a surprise?
this is obviously a feature not a exploit or a bug, and anyone can do it. It is like when websites detect you have DevTools opened and they send you to the Debugger until you close it,
you wish the Browser would have more control over that, but that’s life!
It is actually a pretty simple script so I don’t understand the issue.
I added/made the usual global filter in uBlock and it is fixed *##+js(acis, navigator.clipboard)
it is weird because it doesn’t work like the usual scriplet injection but nothing gets copied to the clipboard which is I guess okay?
There are many ways to stop it since it is a inline script on that page, but uBlock made it easy and it works, and it should work on other cases.
People are just dramatic for real, I mean, if people really think they have control over websites they visit and developer’s god complex, well, too bad. They should quit the internet. Developers have the power and some will use and others won’t, that’s life and that’s your risk for going to any website.
When all else fails, I use UR, a Chrome variant. The problem exists there.
I guess I don’t understand why a website would want to write to Clipboard. I can understand why it would want to read the contents, although that sounds like a crapshoot way of looking for valuable/usable information. Can any website read anything on an accessing computer, like memory or the hard drive?
DuckDuckGo browser on Android is not vulnerable to this. Is it based on Gecko?
It is based on Android System Webview. So it is based on Chromium but system webview is different from a full chromium browser.
Cheers!
Unlock Origin on Brave / Edge stops it.
What setting/script in UBO does this? Please tell.
I am on Brave. I have UBO. The issue happens.
“A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.”
If I understand correctly Google bypassed a basic privacy feature for the sake of its insane doodles, doodles for which you’ll find several dedicated scripts to remove those exotic absurdities.
I checked the Clipboard manipulation Tester page mentioned in the article as a poor kid would check his shoes on Christmas morning to see if a dollar wouldn’t have been put there by Santa… that is without belief, and of course no vulnerability : I run Firefox.
Google, Google, Google … mama mia, ouy ouy ouy … run maybe not for your life but for your privacy, certainly.
I’m able to stop this behavior in Edge / Brave with uBlock Origin
I checked this on Android, and Firefox variants, Klar and Mull aren’t vulnerable, but Chromium variants, Vivaldi and Bromite are. Sad, really, but not surprising as Google’s all about the money from selling user data.
Just one question though, why does Google think that people want to copy & paste their doodles, and that this is so “important” that they’ll risk hacking?
I loaded the page in Edge and nothing was copied to the clipboard.
Version 104.0.1293.70 (Official build) (64-bit)
Perhaps others have not gone through the settings, they do change quite often.
FYI I have a handy shortcut on the desktop to clear the clipboard.
Target: %windir%\System32\cmd.exe /c “echo off | clip”
Start in: %windir%\System32
The fact that some say Edge is vunerable to this and others saying it is not got me asking why?
What is causing these different outcomes?
I wonder if it has anything to do with “Clipboard history” and/or “Allow clipboard synchronization across devices”?
These can both be turned of in the settings although I myself have them disabled in the group policy as they are a severe security risk to anyone who copy/pastes any sensitive information, like usernames and paswords.
In answer to your question Martin, I directed my Brave browser v1.42.97 (Aug 17th, 2022) to the site as stated in the article.
And now I’ll paste what is in my clipboard in quotes below …
“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”
It has the issue documented.
** Revised ** Brave 1.43.79 No – using uBlock Origin. Otherwise, yes.
Brave 1.43.79 No
If I could get rid of Doodles entirely, then I would (which would be a nice reason for Google to re-instate the flag which allowed this… maybe when they’re updating this code?).
@allen, if you run a usersript manager several dedicated scripts are available, i.e. :
No Google Doodle
Get rid of Google Doodle logos and link
[https://greasyfork.org/en/scripts/425053-no-google-doodle]
Back in the days when I used Google Search I remember having installed such a script to get rid once and for all of this insanity called doodle.
Look at this, fellas:
https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/write
I quote from the source:
„ Browser support for the asynchronous clipboard APIs is still in the process of being implemented.“
FF already has partial support for this as well according to the table on the website, and is in the process of finalizing it. Bad news for the shills.
Look at this, fellas:
Iron Heart can post an MDN link but not read it and just make big scary word salads of nonsense instead of acknowledging Firefox’s implementation is gated behind permissions
Clipboard – Web APIs | MDN
https://developer.mozilla.org/en-US/docs/Web/API/Clipboard
The Clipboard interface implements the Clipboard API, providing—if the user grants permission—both read and write access to the contents of the system clipboard.
The system clipboard is exposed through the global Navigator.clipboard property.
Calls to the methods of the Clipboard object will not succeed if the user hasn’t granted the needed permissions using the Permissions API and the ‘clipboard-read’ or ‘clipboard-write’ permission as appropriate.
Note: In reality, at this time browser requirements for access to the clipboard vary significantly. Please see the section Clipboard availability for details.
All of the Clipboard API methods operate asynchronously; they return a Promise which is resolved once the clipboard access has been completed. The promise is rejected if clipboard access is denied.
The asynchronous clipboard API is a relatively recent addition, and the process of implementing it in browsers is not yet complete. Due to both potential security concerns and technical complexities, the process of integrating this API is happening gradually in most browsers.
In short,
Mozilla’s vision is based on user consent, which is the exact opposite of Chromium, which operates without consent.
Therefore, the process of implementing it in browsers is not yet complete. Due to both potential security concerns and technical complexities, the process of integrating this API is happening gradually in most browsers.
>In short,
Mozilla’s vision is based on user consent, which is the exact opposite of Chromium, which operates without consent.
Ouch, somebody got pwned in their quest to shill for Google.
@Karl
> Ouch, somebody got pwned in their quest to shill for Google.
Nothing and nobody got pwned, LOL. Read Mozilla’s own docs and see that they use the same permission model for “read” access that Chromium does and that they grant “write” access automatically, without user consent, for the active tab. Are you able to read, or…?
Have to praise your well mannered response to Iron Heart’s nonsense @owl. On second thought your comments are always detailed, straight to the point and informative like Tom Hawack.
Like you said in previous article some folks don’t even use Firefox but they have to complain all the time. This chromium clipboard feature is nightmare for privacy and yet some folks can only see problems in Firefox which aren’t even related.
@Yash
> Have to praise your well mannered response to Iron Heart’s nonsense @owl.
Well mannered pile of nonsense. @owl does not know what he is talking about. Read the reply of @Sdar or better yet read the linked text itself, the “write” permission is granted automatically in active tabs and does not(!) require user permission in Firefox. “Read” access must be granted both in Chromium and Firefox.
Both browsers need consent to read, and to write chrome doesn’t need anything and firefox grants the permission automatically once the tab is considered “active” (pretty much any user interaction).
[… The “clipboard-write” permission of the Permissions API, is granted automatically to pages when they are in the active tab. …]
https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/write
Chrome vulnerable? A big fat NOPE. Don’t copy and paste, problem solved. If you need to copy and paste, you need to improve your memory skills. People have become too lazy these days. Imagine blaming the browser for your lack of skills.
@ Chrome Fan
“Don’t copy and paste, problem solved. If you need to copy and paste, you need to improve your memory skills.”
You’re trolling, right ? Copy and paste is one of the fundamental inventions of what used to be called micro-computers — that’s computers to you nowadays.
“Don’t accelerate nor brake, problem solved. If you need an accelerator pedal and a brake pedal, you’re a sissy who needs to improve your motoring skills.”
Is it really hard to imagine that there are people who copy and paste because it saves keystrokes? Typing out very long text repeatedly can really get tiring, you know.
ChromeFan:
How I use my computer is my business, nobody else’s. If I want to copy/paste until the sun burns out, that’s my choice and has utterly nothing to do with being lazy. And peoples’ memory skills are whatever they are, unlike yours which, apparently, are perfect. Software providers even suggest copy/pasting, say, a product key, to make sure the user gets it right the first time.
If a piece of software is doing something it shouldn’t be doing, it shouldn’t be doing it–what a concept. You’re wrong. Case closed.
yay copying post and discussion from https://news.ycombinator.com/item?id=32614037
without citing them. Good job
Nightly Firefox NO
Firefox NO
Librewolf NO
Tor Browser NO
Well you can still write to the clipboard in firefox based browsers (unless completely disabled on about:config) after ie. clicking on deny all on the cookie message, or closing a popup. A user click is the only thing needed to copy to the clipboard.
ps: Writing in the clipboard is easy but you can’t read its contents.
A little demo, as I said you can conceal this any way you want, a dismiss for a popup, cookies or whatever may cause user input, as soon as you have user input the tab is considered active and the clipboard-write permission is granted automatically.
In this demo you can click the button so it writes to your clipboard, but I wanted to show that it doesn’t need to be a button so clicking anywhere on the site (except the edit in jsfiddle button) will wirte on your clipboard.
https://jsfiddle.net/dvxaywrj/1/show
Reading the clipboard will require specific permissions on both chromium and firefox based browsers and will not be granted automatically as it’s done with the write permission.
A little demo, as I said you can conceal this any way you want, a dismiss for a popup, cookies or whatever may cause user input, as soon as you have user input the tab is considered active and the clipboard-write permission is granted automatically.
But what if clipboard is DISABLED on your computer?
Well, if you can disable your clipboard system wide then there should be no way to write on it, as it’s not even there.
Hurry for Firefox!
How does Brave do?
First post above. Do you have a reading problem?
Used Edge Chromium and yes indeed, it is vulnarable. Is there nothing in the edge://flags to stop it?
Yes, Brave (beta) on Windows is ‘vulnerable’. I don’t mind the writing to the clipboard access. It is reading that concerns me, but is that actually possible?
In fact, Microsoft Edge and any browsers built on the Chromium platform is vulnerable. It’s disturbing that you wouldn’t notice if a website modified just a few words copied to your clipboard. Reading access is even more alarming. I don’t see any reason why Google couldn’t create read access as well. They are just as evil as the bad guys. I sincerely hope a patch will be released for this issue shortly.
@Anonymous
> Reading access
Look up dom.event.clipboardevents.enabled and research what this setting is for in Deplatformingfox, then return to me.
> if you run Google Chrome or another Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without user permission or any user action.
There is something not right about chromium-based browsers in my opinion. I do not like using them, something feels wrong with them. The code has become too large increasing the potential attack surface for cyber criminals, the code has become basically a mini-os, a monopoly also, and there are way too many things going on with Javascript, security issues, bugs etc constantly getting patched
A Browser should not have as much code as an OS! On paper the idea of a FOSS Chromium browser sounds good, but in reality google has made the code too bloated and the engine too popular. Some people actually believe that chromium browsers have the best security, the evidence and statistics points to something entirely different though. Firefox, gets nowhere near the security issues of browsers like Chrome, Edge, Brave and Vivaldi.
> Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.
> A bug report on the Chromium
chromium browsers are a potential security nightmare with Javascript on.
What browser is safer to use? Firefox is! Just standard Firefox, it is much safer than chromium based browsers and even FF forks like Librewolf too, because forks are slow to get updates and have only small teams maintaining them, Firefox is the only FOSS browser maintained by well paid developers. Google chrome is a proprietary browser where an ad tech company bloats the code. No thanks. Firefox is much safer.
@Anonymous123’s new nick
> something feels wrong with them
Starting out with a strong argument, I see.
> the code has become basically a mini-os
Well yeah, Chrome OS is a thing. That being said, all current browser codebases are the size of operating systems.
> a monopoly also
Where did Safari and Firefox go all of a sudden?
> and there are way too many things going on with Javascript
Both good and bad, the web would be a worse and way less interactive place without JS. Without JS, we would be stuck with the web of 1995.
> security issues
As you said yourself, the codebase has the size of an operating system, so no surprises there.
> bugs etc constantly getting patched
…which is a good thing.
> too popular
That’s not a thing. People use what they want to use. Too bad for you that it’s not Deplatformingfox.
> Some people actually believe that chromium browsers have the best security
It’s not a matter of “belief”, bud. Belief belongs to the realm of religion.
That Chromium has strong sandboxing and real site isolation is not “belief”, it is fact, verifiable via the open source code.
> Firefox, gets nowhere near the security issues of browsers like Chrome
Yeah, because it’s not a valuable target with 3% market share. Not because it is well-engineered (which it isn’t, it’s garbage).
> Firefox, gets nowhere near the security issues of browsers like Chrome, Edge, Brave and Vivaldi.
Because nobody uses it.
> What browser is safer to use? Firefox is!
LOL, nope. You can’t have it both ways. You claim Firefox is secure based on its irrelevancy (which is a shoddy argument in itself, but hey, let’s ride with it), but when more people start using it, it will become a more attractive target of hackers, invalidating the irrelevancy factor.
> Firefox is the only FOSS browser maintained by well paid developers
Evidently false. Chromium is open source. So is WebKit. And Deplatformingfox’s devs are actually paid by Google.
> Google chrome is a proprietary browser where an ad tech company bloats the code.
So what? Chrome is just a closed source variant of Chromium, which is open source. And ad tech? Where do you think Mozzarella’s money comes from? Did I miss the part where Mozzarella publicly came out against ads?
> No thanks. Firefox is much safer.
Nice ad. Want a job in the ad tech industry?
Quality of gHacks posts went downhill ever since they said bye bye to fact-based arguments for the most part.
Amazing Redditor spacing. Makes reading these rants impossible and easier to skip.
@Frankel
> Makes reading these rants impossible and easier to skip.
I hoped that you not reading it would have spared me your usual reply. I was wrong. Stick with the fake news and nonsense.
@Iron Heart,
> @Anonymous123’s new nick
Your reply to GNU Linux Sophistication is beyond insulting.
You should know him from the following thread,
https://www.ghacks.net/2022/08/23/firefox-104-analyze-a-websites-power-usage-and-ui-throttling/#comment-4546462
The insights of the GNU Linux Sophistication were excellent, and they behaved sincerely and politely to share “experiences, techniques, lessons learned, advice, etc.” This is a rare thing in the ghacks community these days.
At the very least, ghacks should be respected as a community (A place to exchange information with people who share common challenges) where people can share “their experiences, skills, lessons learned, advice, etc.”
LibreWolf (main browser) – no
Brave (secondary browser) – yes
Brave (with shields) – no
Brave (shields turned off) – yes
welcome to another “everyday is an exploit day at chromium”