DoubleClickjacking Poses a Significant Security Risk to Major Websites

Cybercriminals have discovered a novel method of executing clickjacking attacks by exploiting the brief moment between two mouse clicks. This tactic allows them to mislead victims into authorizing transactions or granting access that they did not intend to permit.

In a recent analysis, security researcher Paulos Yibelo examined this evolving threat where attackers manipulate users into unintentionally making a second click on hidden or misleading elements, successfully bypassing the clickjacking defenses built into modern web browsers. The technique, dubbed “DoubleClickjacking,” poses a serious risk as it allows attackers to coerce users into granting OAuth and API permissions on various prominent platforms.

According to Yibelo, this method could lead to significant security breaches, enabling malicious actors to disable protective features, delete accounts, and authorize unauthorized transactions, often without the victims’ informed consent. Traditional defenses against clickjacking, such as SameSite cookies and X-Frame-Options, have managed to mitigate conventional clickjacking, but they fall short against the nuances of DoubleClickjacking.

The exploit takes advantage of a timing quirk in browser interactions, particularly during a double-click event. Attackers orchestrate a scenario where a webpage opens a second window to present what appears to be a valid interaction, such as a CAPTCHA. With the first click closing the top window, the legitimate action becomes one click away from accessing sensitive functions, rendered harmless by the user’s lack of awareness during the second click.

Yibelo demonstrated through proof-of-concept examples that various platforms, including Salesforce, Slack, and Shopify, can be compromised through this technique. The implications extend beyond web applications; DoubleClickjacking poses potential threats to browser extensions and mobile applications, including cryptocurrency wallets and VPN services.

Despite some organizations implementing countermeasures, many remain vulnerable due to the novelty and intricacy of this technique. Established defenses like Content Security Policy and SameSite cookies do not provide adequate protection against this new methodology.

To effectively combat DoubleClickjacking, Yibelo advocates for a JavaScript-based solution that disables critical buttons until users demonstrate explicit interaction, such as mouse movements or keystrokes. This proactive measure has been successfully utilized by platforms like Dropbox and GitHub, ensuring that sensitive actions cannot be instigated by inadvertent or manipulated clicks. Additionally, Yibelo suggests that browser developers should consider implementing a “Double-Click-Protection” HTTP header to impede rapid context-switching during double-click events.