A novel variation of clickjacking, known as DoubleClickjacking, has been discovered, raising significant security concerns across websites that rely on UI-based authentication mechanisms.
This sophisticated attack, observed by cybersecurity expert Paulos Yibelo, bypasses long-standing defenses like the X-Frame-Options header and SameSite cookies, exploiting a previously overlooked vulnerability in double-click sequences.
How DoubleClickjacking Works
The attack hinges on manipulating the brief delay between two clicks in a double-click sequence. Unlike traditional clickjacking, DoubleClickjacking involves opening a new window and prompting the user to double-click, during which the attacker quickly switches the UI context of the parent window.
This allows malicious actors to trick users into authorizing actions they never intended, such as granting excessive API permissions through OAuth.
The method takes advantage of the timing difference between mousedown and click events.
The first click initiates an action like closing the top window, while the second click inadvertently interacts with a sensitive element in the newly exposed parent window.
The attack requires minimal user interaction, making it highly effective.
Key Exploitation Scenarios
DoubleClickjacking poses risks across several domains:
-
OAuth authorization: Attackers can gain access to user accounts by tricking users into authorizing malicious applications with high-level permissions
-
Account setting manipulations: Actions like disabling security settings or authorizing transactions can be triggered without user consent
-
Browser extensions and mobile apps: Variants of this attack target crypto wallets, web3 transactions and even mobile gestures like double-tapping
Mitigation and Future Steps
Developers can implement protective scripts that disable critical buttons until users demonstrate intentional actions, such as mouse movements or keyboard inputs.
Long-term solutions may involve browser-level interventions, such as a dedicated HTTP header to restrict rapid context switching during double-click events.
Until browsers adopt these measures, developers are advised to secure sensitive pages with existing defensive libraries and remain vigilant for evolving attack techniques.
According to Yibelo, DoubleClickjacking is a stark reminder of the persistent ingenuity of attackers and the need for proactive security measures.
As this vulnerability impacts nearly all websites supporting OAuth, immediate action is critical to safeguard user data and online accounts.