Security researchers have identified a significant vulnerability dubbed “DoubleClickjacking” that affects major websites worldwide. This new attack method, discovered by researcher Paulos Yibelo, bypasses traditional clickjacking protections by exploiting double-click sequences.
Unlike conventional clickjacking attacks, which rely on single clicks to deceive users, DoubleClickjacking manipulates the timing between two clicks to circumvent security measures, including X-Frame-Options headers and SameSite cookies.
How DoubleClickjacking Works:
1. Users visit a malicious website that opens a new browser window
2. The window requests a seemingly harmless double-click action
3. During the double-click sequence, the parent site redirects to a malicious page
4. The top window closes, leaving users unknowingly granting permissions
The vulnerability is particularly dangerous because existing security frameworks primarily focus on single-click protection, leaving systems vulnerable to this double-click exploitation technique.
Mitigation Strategies:
– Website owners can implement client-side security measures
– Disable critical buttons by default until specific user actions are detected
– Services like Dropbox have already implemented protective measures
– Browser vendors are recommended to develop new security standards
This discovery follows Yibelo’s previous finding of “cross window forgery,” which exploited keyboard inputs to achieve similar malicious outcomes on platforms like Coinbase and Yahoo.
The research highlights the evolving nature of web security threats and the need for updated protection mechanisms against sophisticated UI manipulation attacks.