Clipjacking: Hacked by copying text - Clickjacking but better
20/05/2025
Note: FOLLOW ME ON X I NEED FOLLOWERS TO BOOST MY EGO LKJAFBHKLSDJFHGBKD
Well, after the last blog post where me and Jorian hacked a bunch of MCP servers, I put on my nerd goggles and started goofing around with client-side exploitation. There's a few neat tricks/attacks that you can use with browsers that I recently came up with that pertain to clipboards;Yep. The coding device that you little goblins use to copy code from stackoverflow and ChatGPT. I call them clipjacking, like clickjacking, but better. It makes for a pretty good substitute to clickjacking if that isn't an option for one reason or another. Even if you just plan to use normal clickjacking, I highly recommend you read the article anyways since there's a few tricks I go into that could be very helpful in your client-side exploitation PoCs.
Who ya gonna copy?
(OMG!? MCP: May Cause Pwnage - Backdoors in Disguise reference????). I was tinkering with browsers and was pretty annoyed when some of my ideas didn't work. Suddenly, I got in a bathtub and the water rose by exactly the amount of volume that I took up (OMG!? Archimedes reference? this one finna be an absolute banger 🔥🔥). A fictional lightbulb lit over my head and I thought: what if you just got someone to copy something sensitive and then ate it up (took the clipboard information)? Well, something else that uses the clipboard as a sort of attack vector is called clipboard hijacking, but it's not quite the same as what we're gonna do here. Trust me, I didn't think about this when I thought of the name clipjacking, I promise. Just keep in mind that clipboard hijacking and clipjacking are different. Anyways, I'm gonna cut straight to the chase.
Prerequisites (ugh)
This attack pretty much has the same requirements as clickjacking. You need to be able to iframe the target site, which can be done if the X-Frame-Options or CSP frame-ancestors are missing. You also need to be authenticated to show juicy content, which means that it requires SameSite=None (or unset on firefox) cookies.
Exhibit A: Gotchur clipboard!!
So I made a couple of PoCs. The first one uses the browser's clipboard API to exfiltrate sensitive data from the clipboard. It works like this:
- We embed an iframe onto the main site
- We add some javascript to make sure the iframe is always focused:
function focusIframe() { const iframe = document.getElementById('target-frame'); if (iframe.contentWindow) { iframe.contentWindow.focus(); } } ... // Some code that runs it again and again until the end of timeeee - We use some CSS to set
overflowtohiddenshove the iframe farther away than your hairline so that the user can't see it - We have a listener that keeps checking for changes to the clipboard and updates them on the site (or sends them to your server)
- Profit
Before you say "Oh! i cOulD do tHIs by JusT sELECting THe Text and CoPYING IT USIng ThE BroWsER's cLipBoArd APi", no. You can't. The browser doesn't let you copy text from an iframe. At least not in my experience. You also can't just select all content on the main website and copy it since the iframe's content won't get selected.
Here is a simple video demonstration:
The first example shows a bit of how it works under the hood and the other is the final product.
That one was a pretty simple and you can find it on github, but let's have a look at another one that doesn't require access to browser APIs that ask for permission. After all, we are hackers.
Exhibit B: Buggy but better
For this one, I ask the user to hold down ctrl and type in acv. This selects all, copies and pastes. Simple right? Nuh uh. How would you detect events in an iframe to switch to the area to paste stuff into? go on... I'll wait. Or not. You can't detect the select all and copy shortcuts inside an iframe, but with my super insane master hax, you can 😎.
So basically (credit to Jorian for suggesting this trick), if you perform an action like click or keypress inside a cross-origin iframe, the parent will become activated and can detect that. Here is some literature going more in-depth. I just detect that and add some debounce because I don't even remember why (you can change this on your own). So now you may say, "but Jaisal, this detects all events. How would you find a specific one, like copying?" That's the cool thing: for the most part, you don't. Essentially all you need to do is detect normal actions on the main page UI and invalidate actions while those events are going on. There's a few more things you need to take into account, but those are the main brains that make it tick. Here's what we got:
// Listen for user actions on the main site
['click', 'mousedown', 'mouseup', 'keydown', 'focusin'].forEach(eventType => {
document.addEventListener(eventType, function(e) {
// If the output box is focused, stop focusing the iframe
if (e.target.id === 'output') {
outputActive = true;
focusOnIframe = false;
} else if (e.target.id !== 'target-frame') {
// Pause all PoC logic for a while if user interacts with main page
mainPagePause = true;
clearTimeout(mainPagePauseTimeout);
mainPagePauseTimeout = setTimeout(() => {
mainPagePause = false;
}, MAIN_PAGE_PAUSE_TIME);
}
}, true);
});
...
function detectUserActivation() {
// Detect user activation in iframe and count actions (debounced)
if (focusOnIframe && !outputActive && !mainPagePause && navigator.userActivation.isActive) {
const now = Date.now();
if (now - lastActivation > ACTIVATION_DEBOUNCE) {
actionCounter++;
lastActivation = now;
if (actionCounter === 2) {
setTimeout(() => {
focusOutput();
}, 100);
}
}
}
}I asked Claude (no, irl friends of mine who are reading this, Claude is not yet another friend of mine) to help me figure out some logic and it added an extra variable that does the same thing as focusOnIframe but I'm not gonna touch it because I'm scared it'll poke me :/
Once again, this PoC is available in the same repo on github.
Here's what the second PoC looks like (again, the attack box can be hidden) :
Hit me up on discord, "@atomicbyte" as of posting this or just check the link below, for any suggestions, custom PoCs, findings, etc. I would love to hear about them!
For spear phishing attempts, business inquiries, love letters, etc: 
or 