A researcher has devised a new attack strategy that leverages double-clicks to target users. Identified as DoubleClickjacking, these attacks can bypass most existing anti-clickjacking measures.
DoubleClickjacking Attack Threatens Most Existing Websites
Security researcher Paulos Yibelo demonstrated DoubleClickjacking attacks as the new threat for most websites.
Clickjacking has long been a potent threat to users, enabling attackers to steal data while staying under the radar. However, with time, robust security measures have been developed to prevent clickjacking attacks. Nonetheless, DoubleClickjacking attacks can bypass most existing security checks, posing a new website threat.
Specifically, these attacks exploit the time difference between the two clicks. While clickjacking involves overlaying sites with attacker-generated windows to capture users’ clicks, DoubleClickjacking improvises this technique by changing screens from the start of the first click to the end of the second click.
The attacker may display screens with clickbait buttons such as “click here” to perform an action, prompting the user to double-click. Once clicked, the webpage quickly changes to hijack the second click for the other page. Here, the actions may include any malicious activities to target the victim user, such as authorizing an attacker’s account integration or bypassing an MFA prompt.
This attack is unique and more potent in that it doesn’t pass cookies to another website but executes directly on a target website. Since it bypasses most existing anti-clickjacking techniques, almost all websites are vulnerable to DoubleClickjacking attacks.
Besides websites, this attack also works against browser extensions and mobile applications (requiring the victim to “double tap” instead).
The researcher shared the following video demonstrating the attack, whereas they shared the PoC in their post.
Suggested Countermeasures
Despite all its severity, DoubleClickjacking isn’t an entirely unavoidable attack. The researcher has proposed various mitigation strategies for vulnerable websites and apps to remain safe. These include applying client-side protection by running scripts to prevent clicks on sensitive buttons and implementing iframe-based clickjacking prevention scripts, among others.
Let us know your thoughts in the comments.
