New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

January 6, 2025

Clickjacking, also known as UI redressing, is a known social engineering technique. By tricking users into clicking on a seemingly innocuous UI element, such as a button, on an attacker-controlled domain, threat actors can use that access to deploy malicious code, allowing for the deployment of malware or the exfiltration of sensitive data. This technique is well known to security researchers, and many websites employ protections against it. However, the cybercrime world is continually evolving, and threat actors have developed multiple new variations on the same theme. A year ago, the technique of gesturejacking was developed to gain similar access by inducing users to hold down a button, such as the space or enter key, on their keyboards, and now the newly discovered technique of doubleclickjacking makes the process even easier.

Doubleclickjacking works like this: first, the victim is induced to visit an attacker-controlled site. This site then opens a new window, which frequently takes the form of some innocuous process such as a CAPTCHA notification. The user is then prompted to double-click something to complete the step, usually a button of some kind. While this double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily replace the UI element with another malicious one between clicks. At the same time, the top window is closed, causing the user to unknowingly grant access by approving the permission confirmation dialog on the parent site.

This bypass technique represents a serious problem. Most web frameworks currently only recognize a forced single click as a security threat and do nothing about double clicks. This technique could be utilized with websites such as Coinbase to facilitate account takeovers, causing serious financial loss. In order to mitigate this exploitation technique, web developers will have to make use of a client-side approach that disables critical buttons by default. Dropbox already makes use of such a policy. In the long run, a new set of browser standards will have to be developed to defend against double-click exploitation.

More from Blackwired

January 13, 2025

Seven Trends to Watch for in 2025

In 2025, cybersecurity will focus on MFA, non-human identities, app security, attack surface mapping, and data-driven insights.

Read more
December 30, 2024

Using CAPTCHA for Compromise: Hackers Flip the Script

Fake CAPTCHA pages can trick users into phishing or running malicious scripts, exploited by groups like APT28 to compromise systems.

Read more
December 23, 2024

INTERPOL urges end to 'Pig Butchering' term, cites harm to online victims

INTERPOL urges using "romance baiting" instead of "Pig Butchering" to reduce victim shame and encourage reporting online scams.

Read more

© 2024 Blackwired. All Rights Reserved.