DoubleClickjacking Attacks Use Double Clicks to Bypass Security Protections

Independent cybersecurity researcher Paulos Yibelo has revealed a new type of clickjacking attack, which he calls DoubleClickjacking. In these attacks, cybercriminals trick users into performing specific actions using double mouse clicks, effectively bypassing existing security measures.

What Is Clickjacking?

Clickjacking typically refers to scenarios where attackers create malicious web pages that deceive visitors into clicking on hidden or disguised elements. This is usually done by overlaying a hidden iframe, crafted by hackers, on top of a legitimate page. The malicious page is designed so that the buttons and links in the hidden iframe align with those on the target page.

Attackers lure users to these sites and prompt them to click a link or button, such as to claim a reward or view an image. However, when the user clicks, they are actually interacting with the hidden iframe, which can lead to harmful actions like authorizing OAuth applications.

Modern Browser Protections

In recent years, browser developers have implemented several security features to prevent most clickjacking attacks. These include blocking cross-site cookies and setting restrictions (like X-Frame-Options or frame-ancestors) on resources that can be embedded in iframes.

How DoubleClickjacking Works

Yibelo describes a new attack method called DoubleClickjacking, which uses double clicks to trick users into performing actions. Here’s how it works:

• The attacker creates a website with an innocent-looking bait button (for example, “Click here to watch a movie”).
• When the visitor clicks the button, a new window appears, covering the original page and displaying another lure, such as a CAPTCHA challenge.
• Meanwhile, JavaScript on the original page changes the content in the background to another site where the user is expected to take an action.
• The CAPTCHA overlay asks the user to double-click an element to solve the challenge. The page tracks mousedown events and, upon detecting the first click, quickly closes the overlay. As a result, the second click lands on an authorization button or link that was previously hidden beneath the overlay.

Ultimately, the user unintentionally clicks a button, which can be exploited to install a plugin, connect an OAuth app to the victim’s account, or approve a multi-factor authentication request.

Why DoubleClickjacking Is Dangerous

According to Yibelo, these attacks bypass all existing clickjacking protections because DoubleClickjacking does not use iframes or attempt to transfer cookies to another domain. Instead, the actions occur directly on legitimate sites.

Yibelo claims this attack threatens nearly all websites on the internet and has provided demonstration videos showing DoubleClickjacking used to compromise Shopify, Slack, and Salesforce accounts. Even more concerning, he notes that the attack can also target browser extensions.

“For example, I created a proof of concept for popular browser-based cryptocurrency wallets, and this technique can be used to authorize web3 transactions and dApps or disable a VPN to reveal the IP address,” Yibelo explains. “It can also be implemented on mobile phones by asking the victim to double-tap.”

How to Protect Against DoubleClickjacking

To defend against this type of attack, Yibelo suggests using JavaScript on your site to disable important buttons and links until a gesture is fully completed. This should prevent automatic clicks on authorization buttons when a malicious overlay is dismissed. He also recommends using a special HTTP header to limit or block rapid window switching during double clicks.