Google developer Jeff Johnson explained how the vulnerability was triggered, several ways by granting a page permission to overwrite the contents of the clipboard. Once permission is granted, users can influence by actively triggering a cut or copy action, clicking a link in a page, or even taking the simple action of scrolling up or down on the page in question.
The difference between the browsers is that Firefox and Safari users must actively copy content to the clipboard using Control+C or ⌘-C, while Chrome users can be affected by viewing a malicious page for no more than a fraction of a second.
Johnson’s blog post cites the video example of Šime, a content creator that specializes in web developers. Šime’s demo revealed how quickly Chrome browser users are affected, triggering the vulnerability whenever they switch between active browser tabs. Regardless of how long or what type of interaction the user has had, the malicious website will immediately replace any clipboard content with what the threat actor decides to offer.
Johnson’s blog provides technical details describing how a page can gain permission to write to the system clipboard. One way is to use a now deprecated command, document.execCommand.
Another way is to take advantage of the recent navigator.clipboard.writetext API, which has the ability to write any text to the clipboard without additional manipulation. A demo showing how two approaches to the same vulnerability work.
While this vulnerability may sound innocuous on the surface, users should remain vigilant that malicious actors could exploit content swapping to take advantage of unsuspecting victims. For example, a fraudulent website can replace a previously copied URL with another fraudulent URL, unknowingly directing users to other websites designed to gain information and compromise security.
The vulnerability also provides threat actors the ability to save a copied cryptocurrency wallet address on the clipboard, replacing it with the address of another wallet controlled by a malicious third party. Once a transaction occurs and funds are sent to fraudulent wallets, victimized users often have little ability to trace and recover their funds.
Google is aware of this vulnerability and is expected to release a patch in the near future. Until then, users should exercise caution, avoid opening web pages with clipboard-based copies, and verify the output of their copies before proceeding with any activity that could jeopardize their personal or financial security.