A new cyber threat named DoubleClickjacking has been disclosed by security researcher Paulos Yibelo, exposing vulnerabilities on major websites and effectively bypassing existing clickjacking protections.
New cyber threat DoubleClickjacking exposes major website vulnerabilities
DoubleClickjacking is a timing-based vulnerability class that capitalizes on a double-click sequence rather than a single click. Yibelo explained that this minor shift enables new UI manipulation attacks that can bypass all known clickjacking defenses, including the X-Frame-Options header and SameSite cookies.
Clickjacking, also known as UI redressing, tricks users into clicking on seemingly harmless web page elements, which can lead to malware deployment or sensitive data exfiltration. The DoubleClickjacking technique exploits the timing gap between the first click and the second click to execute attacks with minimal user interaction.
DoubleClickjacking involves several steps. The attacker creates an innocent-looking website that prompts users to double-click a button, which may appear to be a CAPTCHA verification. When the user initiates the double-click, the attacker employs the JavaScript Window Location object to stealthily redirect to a malicious page, such as an OAuth authorization dialog. As the top window closes, the user unknowingly grants access by approving the permission confirmation dialog.
Yibelo noted that most web applications and frameworks are designed to mitigate risks associated with single forced clicks, rendering current clickjacking defenses inadequate against this new variant. The attack leverages the timing and event sequence in ways that existing security protocols cannot effectively address.
The vulnerabilities associated with DoubleClickjacking pose significant risks on platforms that utilize OAuth for account authorizations. Affected websites risk suffering from account takeovers, unauthorized authorization of malicious applications, alteration of critical account settings, and initiation of financial transactions. Major websites including Salesforce, Slack, and Shopify have been identified as vulnerable.
This attack also affects browser extensions, such as crypto wallets and VPNs, allowing attackers to disable essential security features or authorize transactions without the user’s consent.
DoubleClickjacking can evade traditional protections like X-Frame-Options headers, Content Security Policies (CSP), and SameSite cookies. The vulnerability capitalizes on the rapid timing of user interactions, requiring only a double-click to exploit the user.
The security researcher delivered a cautionary message, stating that websites and developers need to urgently implement new protective measures to tackle this vulnerability effectively.
To address the DoubleClickjacking vulnerability, security experts recommend several mitigation strategies. A client-side approach can be adopted where developers disable critical buttons by default until genuine user interaction is detected, utilizing JavaScript solutions. For example, a script may disable form buttons until mouse movement or key presses are identified.
Long-term solutions involve browser vendors introducing new standards similar to X-Frame-Options to defend against rapid context-switching during double-click sequences. Recommended measures may include creating a Double-Click-Protection HTTP header and adapting CSP directives to account for multi-click scenarios.
Additionally, developers should add protective scripts to sensitive pages and enforce stricter controls over embedded windows or opener-based navigation to strengthen defenses against this new attack method.
Featured image credit: Kerem Gülen/Midjourney
