Threat hunters have disclosed a new “widespread timing-based vulnerability class” that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites.
The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo.
“Instead of relying on a single click, it takes advantage of a double-click sequence,” Yibelo said. “While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie.”
Clickjacking, also called UI redressing, refers to an attack technique in which users are tricked into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data.
DoubleClickjacking is a variation of this theme that exploits the gap between the start of a click and the end of the second click to bypass security controls and takeover accounts with minimal interaction.
Specifically, it involves the following steps –
- The user visits an attacker-controlled site that either opens a new browser window (or tab) without any user interaction or at the click of a button.
- The new window, which can mimic something innocuous like a CAPTCHA verification, prompts the user to double-click to complete the step.
- As the double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily redirect to a malicious page (e.g., approving a malicious OAuth application)
- At the same time, the top window is closed, allowing a user to unknowingly grant access by approving the permission confirmation dialog.
“Most web apps and frameworks assume that only a single forced click is a risk,” Yibelo said. “DoubleClickjacking adds a layer many defenses were never designed to handle. Methods like X-Frame-Options, SameSite cookies, or CSP cannot defend against this attack.”
Website owners can eliminate the vulnerability class using a client-side approach that disables critical buttons by default unless a mouse gesture or key press is detected. Services like Dropbox already employ such preventative measures, it has been found.
As long-term solutions, it’s recommended that browser vendors adopt new standards akin to X-Frame-Options to defend against double-click exploitation.
“DoubleClickjacking is a twist on a well-known attack class,” Yibelo said. “By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.”
The disclosure arrives nearly a year after the researcher also demonstrated another clickjacking variant called cross window forgery (aka gesture-jacking) that relies on persuading a victim to press or hold down the Enter key or Space bar on an attacker-controlled website to initiate a malicious action.
On websites like Coinbase and Yahoo!, it could be abused to achieve an account takeover “if a victim that is logged into either site goes to an attacker website and holds the Enter/Space key.”
“This is possible because both sites allow a potential attacker to create an OAuth application with wide scope to access their API, and they both set a static and / or predictable ‘ID’ value to the ‘Allow/Authorize’ button that is used to authorize the application into the victim’s account.”
