Version 104 of Google Chrome, the most recent stable release, has a security flaw that could be exploited to steal your private information.
Security researcher Jeff Johnson discovered a flaw that removed the need for user approval of the clipboard writing event.
A lot of us copy and paste information from one place to another dozens or hundreds of times a day, and some of that information may be highly confidential, such as a phone number, address, password, login, or payment details.
Johnson is concerned that fake cryptocurrency sites could use this flaw to trick users into copying their wallet address into the system clipboard, putting their entire digital wallet at risk.
He cautions that Google Chrome isn't the only browser that uses this system, as the same reference claims that both Safari and Firefox "allow web pages to write to the system clipboard," though they add an extra layer of security through gestures.
Johnson summarizes how all popular web browsers fail to provide sufficient protections for system clipboards.
Even though Ctrl+C (or Cmd+C on Mac) is the most common user gesture, he discovered that simply pressing the down arrow key to scroll through a website was enough to grant sites access to the computer clipboard.
Thankfully, you can visit specific websites to see if you are vulnerable. Webplatform.news is one such website that, when visited, may copy information to the clipboard. Simply visit the site and paste its contents into a new, blank document, such as Microsoft Word. If you see this, it means your browser is a security risk:
This message was copied to your clipboard when you viewed Web Platform News from a browser that allows third-party websites to do so without prompting the user for permission to do so. We sincerely apologize for the trouble this has caused. Learn more at https://github.com/w3c/clipboard-apis/issues/182."
The Chrome team at Google is aware of the problem, but they haven't yet developed a solution.
