Emerging ‘DoubleClickjacking’ Threat Exploits Double-Clicks for Account Hijacking

A cybersecurity expert has unveiled a novel web attack technique that could pose significant risks to online account security.

Emerging clickjacking threat

The so-called “DoubleClickjacking” threat, discovered by researcher Paulos Yibelo, leverages user double-clicks to bypass security mechanisms.

The risks associated with DoubleClickjacking stem from how it deceives users into performing sensitive actions, such as authorizing OAuth applications, acknowledging multi-factor authentication (MFA) prompts, or even installing browser extensions.

Traditional clickjacking attacks typically rely on hidden iframes to manipulate users' clicks. However, DoubleClickjacking employs a unique mechanism that sidesteps iframe-related protections, focusing instead on a mixture of timing and user interaction.

How DoubleClickjacking works

A typical DoubleClickjacking attack involves the following:

1. The lure: The victim lands on a malicious web page that hosts an enticing button labeled with a lure, such as “Click here for your reward”
2. Layered deception: Clicking the button pops a new overlay window on the victim’s screen, prompting them to perform a seemingly harmless action like solving a captcha
3. Bait and switch: In the background, JavaScript dynamically changes the underlying page to a legitimate website, aligning sensitive buttons or links with the victim’s cursor
4. The exploit: The victim’s second click lands on the now-visible sensitive button, triggering actions like granting permissions or authorizing transactions

Implications of the attack

This manipulation circumvents traditional clickjacking defenses, including restrictions like X-Frame-Options or frame-ancestors. Since the exploit involves direct user interaction with legitimate sites, it effectively bypasses cookie protection and cross-site request restrictions.

To make matters worse, the attack is not limited to computers or websites; it can also affect browser extensions and mobile phones.

“This technique can be used to attack not only websites but browser extensions as well,” Paulos Yibelo explains. “For example, I have made proof of concepts to top browser crypto wallets that uses this technique to authorize web3 transactions & dApps or disabling VPN to expose IP etc. This can also be done in mobile phones by asking target to ‘DoubleTap’.”

Current defenses fall short

Unfortunately, timing-based exploits still lack solid defense mechanisms. However, a few proactive measures proposed by Yibelo can counteract this emerging threat:

1. JavaScript protection: Implementing scripts to disable sensitive buttons until explicit user gestures, such as mouse movements, are detected
2. HTTP headers: Introducing headers that restrict rapid context-switching between browser windows during a double-click sequence, preventing attackers from exploiting this behavior

The proposed solutions are expected to add friction to user interactions, reducing the likelihood of inadvertent clicks on sensitive elements.

Specialized security software

Specialized software like Bitdefender Ultimate Security can shield you from malicious web pages and other digital intrusions. It fends off viruses, worms, Trojans, spyware, ransomware, zero-day exploits, rootkits, and other cyber threats.

Its key features include complete, real-time data protection, network threat prevention, behavioral detection for active apps, multi-layer ransomware protection, web attack prevention, anti-fraud technology, and AI-assisted scam protection.