DoubleClickjacking: A New type of web hacking technique

DoubleClickjacking: A New Era of UI Redressing

As traditional “clickjacking” methods become less effective with modern browser security settings, a new technique, DoubleClickjacking, has emerged. This approach exploits a double-click sequence to engineer UI redressing attacks, circumventing all known clickjacking defenses like X-Frame-Options and SameSite cookies, posing a significant risk of account takeovers.

Root Cause

DoubleClickjacking leverages a timing and event-order quirk by manipulating browser windows and exploiting the time delay between mousedown and onclick events. An attacker initiates with a decoy window prompt, and through strategic window switching, captures critical user actions like authentication approvals during the double-click process.

How It Can Be Exploited

OAuth & API Permissions: Targets can be misled into granting extensive permissions to malicious apps, leading to account takeovers on platforms supporting OAuth.

One-Click Account Changes: Users may unknowingly alter account settings, including security preferences or transaction confirmations.

Why It’s Dangerous

DoubleClickjacking bypasses traditional clickjacking protections, attacks multiple platforms including browser extensions, and requires minimal user interaction. It introduces new vulnerabilities, impacting a wide range of websites and applications.

Mitigation Ideas

Client-Side Protection

To mitigate this vulnerability, JavaScript solutions can disable critical buttons until a real user gesture is detected, thwarting automated attack scenarios.

Long-Term Browser Solutions

In the long run, browsers could adopt standards to regulate rapid window context-switching during double-click sequences, similar to existing methods for preventing clickjacking.

Best Practices for Developers

Implement protective scripts across sensitive pages, and anticipate future browser updates that will address double-click vulnerabilities.

DoubleClickjacking represents an evolution in attack strategies, exploiting minute timing differences to compromise security. Developers and browser manufacturers must stay vigilant and proactive in deploying mitigations.