How Websites Can Hijack Your Clipboard
Those who follow cryptocurrency news may be aware of a new form of malware that specifically targets those who trade in digital currencies. It is called a clipboard hijacker and has been used in a number of recent attacks. While these attacks have been using malware-infused trojans to infect computers, an attacker could implement a hijacker in any web page or extension.
How Clipboard Hijackers Work
A clipboard hijacker, in essence, commandeers a user’s clipboard by controlling its contents. Whenever a user copies something into the clipboard, the hijackers can view the clipboard, and depending upon their contents, replace what is in it.
Clipboard hijackers are a perfect tool for those who want to steal cryptocurrency. Because cryptocurrency addresses are long and complex, it is difficult to tell one from another. So, attackers can often replace the user’s address with their own without notice. They can also use clipboard hijackers for a variety of other malicious purposes.
How JavaScript Is Susceptible to Clipboard Hijacking
JavaScript gives web programmers the ability to catch when a user copies, cuts or pastes into and from a clipboard. It also allows programmers to view and change the contents of the clipboard. Though it has some built-in protections against the kind of clipboard manipulation found in clipboard hijackers.
While JavaScript can notify programmers through an event listener that a user has copied or cut something into the clipboard, they don’t allow them to read clipboard data in these events. Likewise, a programmer cannot write to the clipboard in a paste event.
JavaScript also allows the reading of the clipboard through an asynchronous function called navigator.clipboard.readText(), but this function will warn users if a page tries to read the clipboard before doing so.
However, an attacker can bypass the standard clipboard routines by simply using window.getSelection() in a clipboard copy event, as it provides the currently selected text.
A Clipboard Hijacking Proof of Concept
In this code snippet, I am replacing the character “x” with “y” whenever someone copies an “x” into the clipboard:
document.addEventListener("copy", function (event) {
if (window.getSelection() == "x") {
event.preventDefault();
event.clipboardData.setData("text/plain", "y");
}
});An attacker could place code like this on any web page without triggering warnings to unsuspecting users. Even more ominously, the attacker can place this code into a Chrome extension without requesting any special permissions, allowing them to hijack the clipboard on a global scale.
I reported this issue to Google, with an emphasis on how an attacker could use the exploit in a Chrome extension. Their response was that they didn’t see it as a big problem. Time will tell if they are right.
