Clipboard Hijacking Explained and How to Prevent It in Your Browser

What clipboard hijacking is

Clipboard hijacking is when a malicious actor reads from or writes to your clipboard without your knowledge or consent. Unlike phishing — which requires you to take a deceptive action — clipboard hijacking can happen invisibly in the background while you're doing something else.

There are two main forms: reading and swapping.

Clipboard reading: a script silently reads whatever is currently in your clipboard. If you recently copied a password, email, credit card number, or sensitive document excerpt, that data is now captured.

Clipboard swapping: a script reads what's in your clipboard, detects that it's something valuable (like a crypto wallet address), and replaces it with attacker-controlled content before you paste.

How it happens in a browser

Browsers implement the Clipboard API ('navigator.clipboard'), which provides JavaScript access to clipboard read and write operations. This API requires user permission, but there are several ways the permission model can be bypassed or exploited:

**Supply chain attacks on third-party scripts.** A legitimate site loads analytics, advertising, or feature scripts from a third-party CDN. If that CDN is compromised, the injected script can call the Clipboard API during user interaction events (which sometimes bypass the permission prompt in certain browser versions).

**Malicious extensions.** A browser extension with 'clipboardRead' permission can read your clipboard at any time. Extensions with legitimate reasons to have this permission (password managers, translation tools) can be acquired and updated with malicious versions.

**Inherited permissions.** A site you granted clipboard access to three months ago might still have it. Sites don't lose permissions unless you revoke them.

**Legacy command execution.** Older clipboard access methods via 'document.execCommand' have different and more permissive behavior in some browser versions.

Real-world incidents

In 2019, multiple cryptocurrency exchanges discovered that compromised ad scripts on their pages were calling clipboard read APIs. Users who had wallet addresses copied while visiting these pages had them harvested.

In 2022, a popular browser extension was acquired by a different developer, and the new version was found to be collecting clipboard data. The extension had hundreds of thousands of users.

Prevention at the browser level

Chrome's native clipboard controls (Settings → Privacy and Security → Site Settings → Clipboard) let you set a restrictive default and review which sites have permission. This is the first line of defense.

Audit your Chrome extensions regularly. In chrome://extensions, review which extensions have 'clipboardRead' or 'clipboardWrite' in their permissions. Remove any that don't need it.

Using Clipboard Guard for active interception

Clipboard Guard goes beyond passive settings management. It intercepts all clipboard API calls from web pages and handles them according to your configured policy.

Install it from the Chrome Web Store. Set the default policy to block reads and writes from sites you haven't explicitly trusted. The extension logs all blocked attempts, so you can review which sites are trying to access your clipboard and why.

For suspicious activity — a site you don't trust actively trying to read your clipboard — the log gives you evidence of the attempt and the site responsible.

The extension also protects against clipboard write attacks (the swapping vector). Even if a page has write access in Chrome's native settings, Clipboard Guard can intercept and block the write before it happens.

Conclusion

Clipboard hijacking is a low-visibility attack with high-impact potential. It doesn't require you to click anything or enter credentials — it just needs access to your browser and something sensitive in your clipboard. Combining restrictive native settings, a carefully audited extension list, and Clipboard Guard's active interception gives you defense in depth against all the main attack vectors.