A sophisticated variation of clickjacking attacks called “DoubleClickjacking” has emerged, enabling attackers to bypass existing security measures and trick users into authorizing sensitive actions through double-clicks.
Unlike traditional clickjacking attacks that use hidden iframes, DoubleClickjacking exploits the timing of mouse double-clicks through a two-step process. First, users are lured to click on a seemingly harmless button. This action triggers a new window with a fake captcha prompt requiring a double-click. When users attempt the double-click, the overlay window quickly closes, causing the second click to land on an exposed authorization button on a legitimate website.
Security researcher Paulos Yibelo demonstrated the attack’s effectiveness against major platforms including Shopify, Slack, and Salesforce. The technique proves particularly dangerous as it circumvents standard clickjacking protections by operating directly on legitimate sites rather than using iframes or cross-domain cookies.
The attack’s versatility extends beyond websites to browser extensions, cryptocurrency wallets, and mobile applications. Potential consequences include unauthorized account access, plugin installations, and OAuth application connections.
Proposed Security Measures:
– Implementation of JavaScript code to disable sensitive buttons until specific user gestures
– Introduction of HTTP headers to restrict rapid window context-switching during double-clicks
This vulnerability affects numerous platforms, highlighting the need for enhanced security measures against this new form of social engineering attack.