A newly discovered "DoubleClickjacking" exploit has been unveiled, exposing a significant vulnerability that bypasses traditional clickjacking protections on most major websites. This innovative attack method allows threat actors to execute account takeovers and UI manipulation attacks with minimal user interaction.
What Is DoubleClickjacking?
The exploit, named DoubleClickjacking, was introduced by security researcher Paulos Yibelo. Unlike traditional clickjacking techniques that rely on a single click, this method manipulates a double-click sequence to circumvent even the most robust protections, including:
- X-Frame-Options headers
- SameSite: Lax/Strict cookies
Yibelo emphasizes that while this may seem like a minor adjustment, the technique creates opportunities for sophisticated attacks that existing defenses fail to mitigate.
Clickjacking, also known as UI redressing, typically tricks users into clicking a disguised webpage element—such as a button—to deploy malware or steal sensitive information. DoubleClickjacking elevates this approach by exploiting the timing between the first and second clicks in a double-click event.
How Does DoubleClickjacking Work?
The attack involves a carefully crafted sequence to bypass security mechanisms and take control of user accounts:
- The user visits a malicious site that either opens a new browser window or tab without interaction or with a single click.
- The new window mimics legitimate elements, such as a CAPTCHA verification, and prompts the user to double-click.
- During the double-click action:
- The JavaScript Window Location object is used to redirect the user to a malicious page, such as one approving a rogue OAuth application.
- Simultaneously, the top window is closed, leaving the user unaware they’ve granted permissions to the attacker.
This seamless manipulation allows attackers to bypass critical security layers and compromise user accounts with minimal effort.
Why Is DoubleClickjacking Dangerous?
Yibelo highlights that current web applications and frameworks are primarily designed to defend against single-click attacks. Security mechanisms like Content Security Policy (CSP), SameSite cookies, and X-Frame-Options headers were not built to address vulnerabilities arising from timing-based double-click sequences.
"DoubleClickjacking adds a layer many defenses were never designed to handle," Yibelo warns.
Protecting Against DoubleClickjacking
To mitigate this vulnerability, website owners can implement client-side defenses that deactivate critical buttons by default unless specific user gestures (mouse movements or keypresses) are detected. Services like Dropbox have already adopted such measures to prevent similar threats.
For long-term protection, browser vendors should consider adopting new standards akin to X-Frame-Options specifically designed to defend against double-click exploits.
Related Vulnerability: Cross Window Forgery
This disclosure follows Yibelo's prior revelation of another clickjacking variant called Cross Window Forgery (or Gesture-Jacking) in 2024. Gesture-jacking relies on persuading victims to hold down the Enter or Space keys on attacker-controlled websites, triggering malicious actions.
This technique was found to exploit platforms like Coinbase and Yahoo!, allowing attackers to take over accounts if a logged-in user visited a malicious site. The exploit leveraged predictable values in OAuth application authorization buttons to grant unauthorized access.
Key Takeaways
- DoubleClickjacking represents a new frontier in clickjacking attacks, bypassing existing defenses with ease.
- Website owners must adopt gesture-based protections to deactivate critical buttons under suspicious conditions.
- Browser vendors should prioritize new standards to address this emerging threat.
Stay vigilant and ensure your website is equipped with advanced UI manipulation protections to thwart the ever-evolving arsenal of cybercriminals.