Hoplon InfoSec
01 Jan, 2025
In the ever-evolving world of cybersecurity, a new and sophisticated attack technique known as “DoubleClickjacking” has emerged. This advanced method bypasses existing clickjacking protections, creating a significant challenge for online platforms. It threatens the security of major websites and puts users at risk of account takeovers.
DoubleClickjacking builds upon the decade-old concept of clickjacking by introducing a subtle but impactful twist. Traditional clickjacking tricks users into clicking hidden or disguised buttons, often leading to unauthorized actions. While modern web browsers have mitigated traditional clickjacking risks by setting cookies to “SameSite: Lax” by default, DoubleClickjacking circumvents these safeguards by exploiting a two-click sequence.
In this new attack method, demonstrated by cybersecurity expert Paulos, users are misled into double-clicking on a seemingly harmless prompt. During this action, attackers manipulate the timing and sequence of events to replace or close the top-level browser window and swap in a sensitive page, such as an OAuth authorization dialog or an account setting confirmation page. The unsuspecting user’s second click unknowingly authorizes a malicious action, granting attackers access to their accounts.
The attacker creates a website containing a button that opens a new window. This window displays an innocent-looking prompt, such as “Double-click to verify you’re not a robot.”
When the user clicks the button, a sequence of actions unfolds:
This technique exploits the timing difference between mouse down and mouse up events, seamlessly swapping the window content without detection.
The implications of DoubleClickjacking are far-reaching, especially for platforms relying on OAuth for account authorization. A successful attack can:
Tests have shown that many major websites, including those supporting OAuth (e.g., Salesforce, Slack, and Shopify), are vulnerable to this attack. Additionally, traditional defenses like X-Frame-Options headers, Content Security Policies (CSP), and SameSite cookies are ineffective against this technique.
The risk extends beyond websites to browser extensions, such as cryptocurrency wallets or VPNs. Attackers can exploit DoubleClickjacking to turn off security features or authorize unauthorized transactions, highlighting the attack’s extensive reach.
Developers can implement JavaScript-based solutions to turn off sensitive buttons by default unless genuine user interaction is detected. For instance:
(function() {
if (window.matchMedia && window.matchMedia("(hover: hover)").matches) {
var buttons = document.querySelectorAll('form button, form input[type="submit"]');
buttons.forEach(button => button.disabled = true);
function enableButtons() {
buttons.forEach(button => button.disabled = false);
}
document.addEventListener("mousemove", enableButtons);
document.addEventListener("keydown", e => {
if (e.key === "Tab") enableButtons();
});
}
})();
This script ensures buttons remain disabled until user activity—like moving a mouse or pressing a key—is detected, preventing automated or tricked clicks. Platforms like Dropbox have already implemented similar measures.
Addressing the issue at the root level requires browser-level changes. Potential measures include:
Developers can adopt several strategies to minimize risks:
Doubleclickjacking represents a new frontier in web-based attacks. It exploits timing vulnerabilities in user interactions to bypass established clickjacking defenses. The evolution of such attack techniques underscores the importance of staying proactive in cybersecurity efforts.
Effective mitigation requires collaboration between developers, browser vendors, and security experts. While developers can implement immediate client-side solutions, browser vendors must introduce long-term standards and enhancements to address these vulnerabilities at their core.
Educating users about the risks of DoubleClickjacking is equally crucial. Users should:
As the digital landscape continues to evolve, so do the methods employed by cybercriminals. DoubleClickjacking is a stark reminder of the need for vigilance and innovation in cybersecurity. By implementing robust client-side protections, advocating for browser-level enhancements, and educating users, we can collectively reduce the risks posed by this sophisticated attack. Safeguarding user data and trust requires constant effort, but it is essential in the face of ever-changing threats.
For More:
Share this :