New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

January 6, 2025

Clickjacking, also known as UI redressing, is a known social engineering technique. By tricking users into clicking on a seemingly innocuous UI element, such as a button, on an attacker-controlled domain, threat actors can use that access to deploy malicious code, allowing for the deployment of malware or the exfiltration of sensitive data. This technique is well known to security researchers, and many websites employ protections against it. However, the cybercrime world is continually evolving, and threat actors have developed multiple new variations on the same theme. A year ago, the technique of gesturejacking was developed to gain similar access by inducing users to hold down a button, such as the space or enter key, on their keyboards, and now the newly discovered technique of doubleclickjacking makes the process even easier.

Doubleclickjacking works like this: first, the victim is induced to visit an attacker-controlled site. This site then opens a new window, which frequently takes the form of some innocuous process such as a CAPTCHA notification. The user is then prompted to double-click something to complete the step, usually a button of some kind. While this double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily replace the UI element with another malicious one between clicks. At the same time, the top window is closed, causing the user to unknowingly grant access by approving the permission confirmation dialog on the parent site.

This bypass technique represents a serious problem. Most web frameworks currently only recognize a forced single click as a security threat and do nothing about double clicks. This technique could be utilized with websites such as Coinbase to facilitate account takeovers, causing serious financial loss. In order to mitigate this exploitation technique, web developers will have to make use of a client-side approach that disables critical buttons by default. Dropbox already makes use of such a policy. In the long run, a new set of browser standards will have to be developed to defend against double-click exploitation.

More from Blackwired

April 23, 2025

Researchers claim breakthrough in fight against AI’s frustrating security hole

CaMeL secures AI by isolating untrusted input, using dual LLMs and strict code control to block prompt injections.

Read more
April 16, 2025

The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders

Precision-validated phishing targets specific emails, blocking others, evading detection and complicating traditional defenses.

Read more
April 9, 2025

Hunters International Dumps Ransomware, Goes Full-on Extortion

Ransomware groups shift to data privacy extortion as law enforcement and reduced profits make double-extortion less viable.

Read more