New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

January 6, 2025

Clickjacking, also known as UI redressing, is a known social engineering technique. By tricking users into clicking on a seemingly innocuous UI element, such as a button, on an attacker-controlled domain, threat actors can use that access to deploy malicious code, allowing for the deployment of malware or the exfiltration of sensitive data. This technique is well known to security researchers, and many websites employ protections against it. However, the cybercrime world is continually evolving, and threat actors have developed multiple new variations on the same theme. A year ago, the technique of gesturejacking was developed to gain similar access by inducing users to hold down a button, such as the space or enter key, on their keyboards, and now the newly discovered technique of doubleclickjacking makes the process even easier.

Doubleclickjacking works like this: first, the victim is induced to visit an attacker-controlled site. This site then opens a new window, which frequently takes the form of some innocuous process such as a CAPTCHA notification. The user is then prompted to double-click something to complete the step, usually a button of some kind. While this double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily replace the UI element with another malicious one between clicks. At the same time, the top window is closed, causing the user to unknowingly grant access by approving the permission confirmation dialog on the parent site.

This bypass technique represents a serious problem. Most web frameworks currently only recognize a forced single click as a security threat and do nothing about double clicks. This technique could be utilized with websites such as Coinbase to facilitate account takeovers, causing serious financial loss. In order to mitigate this exploitation technique, web developers will have to make use of a client-side approach that disables critical buttons by default. Dropbox already makes use of such a policy. In the long run, a new set of browser standards will have to be developed to defend against double-click exploitation.

More from Blackwired

March 3, 2025

Your item has sold! Avoiding scams targeting online sellers

Sellers on online marketplaces face fraud risks like phishing, data theft, and malware, requiring strong security awareness and protections.

Read more
February 24, 2025

No, you’re not fired – but beware of job termination scams

Job termination scams exploit fear of job loss, using fake HR emails with bait docs to spread malware or steal login info.

Read more
February 17, 2025

Phishing evolves beyond email to become latest Android app threat

Phishing apps on Android trick users into revealing login info. 22,800+ detected in 2024; avoid non-Google Play apps to stay safe.

Read more

© 2024 Blackwired. All Rights Reserved.