New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

January 6, 2025

Clickjacking, also known as UI redressing, is a known social engineering technique. By tricking users into clicking on a seemingly innocuous UI element, such as a button, on an attacker-controlled domain, threat actors can use that access to deploy malicious code, allowing for the deployment of malware or the exfiltration of sensitive data. This technique is well known to security researchers, and many websites employ protections against it. However, the cybercrime world is continually evolving, and threat actors have developed multiple new variations on the same theme. A year ago, the technique of gesturejacking was developed to gain similar access by inducing users to hold down a button, such as the space or enter key, on their keyboards, and now the newly discovered technique of doubleclickjacking makes the process even easier.

Doubleclickjacking works like this: first, the victim is induced to visit an attacker-controlled site. This site then opens a new window, which frequently takes the form of some innocuous process such as a CAPTCHA notification. The user is then prompted to double-click something to complete the step, usually a button of some kind. While this double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily replace the UI element with another malicious one between clicks. At the same time, the top window is closed, causing the user to unknowingly grant access by approving the permission confirmation dialog on the parent site.

This bypass technique represents a serious problem. Most web frameworks currently only recognize a forced single click as a security threat and do nothing about double clicks. This technique could be utilized with websites such as Coinbase to facilitate account takeovers, causing serious financial loss. In order to mitigate this exploitation technique, web developers will have to make use of a client-side approach that disables critical buttons by default. Dropbox already makes use of such a policy. In the long run, a new set of browser standards will have to be developed to defend against double-click exploitation.

More from Blackwired

March 26, 2025

Deceptive Signatures: Advanced Techniques in BEC Attacks

BEC attacks use email signature tampering to hide phishing links, bypassing security; companies should monitor signature changes.

Read more
March 18, 2025

Red Teaming for Generative AI: A Practical Approach to AI Security

Generative AI has risks, but red teaming can identify flaws, ensuring secure, fair, and reliable AI systems for organizations.

Read more
March 10, 2025

Exploiting DeepSeek-R1: Breaking Down Chain of Thought Security

DeepSeek-R1's exposed CoT reasoning can leak secrets, posing security risks. Companies should filter out "think" tags to avoid exploitation.

Read more

© 2024 Blackwired. All Rights Reserved.