“Double-Click” Attack to Hack Websites & Take over Accounts

   January 1, 2025  Posted in CyberSecurityNews


In a concerning development for internet security, a new variation of a long-standing cyberattack technique known as “DoubleClickjacking,” has been discovered, threatening the security of major websites and exposing users to account takeovers.

This sophisticated attack bypasses existing clickjacking protections, leaving many online platforms vulnerable.

What Is DoubleClickjacking?

Building on the decade-old concept of g, DoubleClickjacking introduces a subtle yet impactful twist. Clickjacking typically tricks users into clicking hidden or disguised buttons, often leading to unauthorized actions.

While modern web browsers have mitigated traditional clickjacking risks by setting cookies to “SameSite: Lax” by default, DoubleClickjacking circumvents these safeguards by exploiting a two-click sequence.

In this attack demonstrated by PAULOS, an unsuspecting user is misled into double-clicking on a seemingly harmless prompt. During this action, attackers manipulate the timing and event sequence to replace or close the top-level browser window and swap in a sensitive page such as an OAuth authorization dialog or account setting confirmation page in the background.

The user’s second click unknowingly authorizes a malicious action, granting attackers access to their accounts.

How the Attack Works

  1. Initial Setup: The attacker creates a website containing a button that opens a new window. This window might display an innocent-looking prompt, such as “Double-click to verify you’re not a robot.”
  2. Triggering the Exploit: When the user clicks the button: A new window opens, and the user is prompted to double-click.

Simultaneously, the parent window’s content is replaced with a sensitive page (e.g., an OAuth authorization prompt) using window.opener.location.

  • The first click (registered on mousedown) closes or changes the top window.
  • The second click (registered on mouseup) lands on the sensitive element in the parent window, authorizing malicious actions such as granting attacker app permissions.

This technique is particularly dangerous because it manipulates the timing difference between user interactions (mousedown vs. onclick events) and seamlessly swaps the window content without detection.

How Dangerous in Real-World

DoubleClickjacking has far-reaching consequences, especially for platforms relying on OAuth for account authorization. Affected websites could see attackers:

  • Take over user accounts.
  • Authorize malicious applications with extensive data access privileges.
  • Change critical account settings or even initiate financial transactions.

Tests have revealed that many major websites supporting OAuth are vulnerable to this attack, leading to potential exploitation on platforms like Salesforce, Slack, and Shopify.

  1. Bypasses Existing Protections: Traditional defenses like X-Frame-Options headers, Content Security Policies (CSP), and SameSite cookies are ineffective against this attack.
  2. Minimal User Interaction: The exploit only requires a simple double-click, making it highly deceptive.
  3. Extensive Reach: DoubleClickjacking affects not only websites but also browser extensions, such as crypto wallets or VPNs, enabling attackers to disable security features or authorize transactions.

Mitigation Strategies

1. Client-Side Protections

Developers can implement simple JavaScript solutions to disable sensitive buttons by default unless intentional user interaction is detected. For example:

(function(){
  if (window.matchMedia && window.matchMedia("(hover: hover)").matches) {
    var buttons = document.querySelectorAll('form button, form input[type="submit"]');
    buttons.forEach(button => button.disabled = true);
    function enableButtons() { buttons.forEach(button => button.disabled = false); }
    document.addEventListener("mousemove", enableButtons);
    document.addEventListener("keydown", e => { if(e.key === "Tab") enableButtons(); });
  }
})();

This script ensures that buttons remain disabled until real user activity—like moving a mouse or pressing a key—is detected, thwarting automated or tricked clicks. Platforms such as Dropbox already employ such preventative measures.

2. Long-Term Browser Solutions

To address this issue at the root level, browsers should introduce new standards to prevent rapid context-switching during double-click sequences. Possible measures include:

  • Introducing a Double-Click-Protection HTTP header.
  • Enhancing CSP directives to account for multi-click scenarios.

3. Best Practices for Developers

  • Add protective scripts to sensitive pages, such as those handling OAuth permissions or payment confirmations.
  • Enforce stricter controls over embedded windows or opener-based navigation.

DoubleClickjacking represents a new frontier in web-based attacks, exploiting timing vulnerabilities in user interactions to bypass established clickjacking defenses.

Developers and security teams must act swiftly to address this risk by implementing client-side protections and advocating for browser-level security enhancements. As the digital landscape evolves, staying vigilant against innovative attack methods like DoubleClickjacking is essential to safeguarding user data and trust.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link