DoubleClickjacking Vulnerability Lets Attackers Manipulate Users

A new vulnerability, known as DoubleClickjacking, has emerged as a significant threat to web security. This technique bypasses protections against clickjacking, allowing attackers to manipulate user interactions and hijack accounts on various platforms.

"DoubleClickjacking adds a layer many defenses were never designed to handle," writes Paulos Yibelo, the ethical hacker who identified this new threat. “This attack exploits the timing between clicks to bypass mechanisms like X-Frame-Options and SameSite cookies, making it a more sophisticated and dangerous version of traditional clickjacking.”

Original Clickjacking attacks trick users into clicking on something different from what they perceive, and have been known for over a decade. Traditional protections prevent such threats by blocking or limiting cross-site functionality. However, as these defenses have become more common, attackers have developed more refined methods to bypass them.

DoubleClickjacking represents a new form of UI manipulation that exploits a double-click sequence to execute an attack. Unlike standard clickjacking, which relies on a single click to activate malicious actions, DoubleClickjacking uses a two-step process, bypassing existing security protocols by exploiting a quirk in the timing and event-ordering of user interactions.

How Does it Work?

DoubleClickjacking begins with an attacker’s website creating a button that triggers a new window. Upon the user clicking this button, a second window opens with a request to double-click. Simultaneously, the parent window's location is altered using the window.opener.location method, directing it to a target page, such as an OAuth authorization page. The attacker then manipulates the user's second click to unknowingly authorize their application into the victim's account.

This vulnerability can circumvent existing defenses. According to Yibelo, traditional clickjacking protections such as the X-Frame-Options header or SameSite cookie settings are ineffective against DoubleClickjacking. 

DoubleClickjacking not only affects websites; it can also affect browser extensions and mobile devices. For example, attackers can use this technique to authorize Web3 transactions, manipulate crypto wallets, or even disable VPNs to expose IP addresses. 

Mitigating DoubleClickjacking requires both client-side and long-term browser solutions. Clients can use a simple JavaScript-based defense to disable buttons until a legitimate user interaction, such as mouse movements or keyboard presses, is detected, says Yibelo. This method has already been implemented by platforms like DropBox, Stripe, and GitHub.

In the long term, according to Yibelo, browser vendors should introduce new standards to prevent DoubleClickjacking, such as a special HTTP header that could limit rapid context-switching between windows during a double-click sequence. “It is crucial that developers implement defensive measures on sensitive pages, such as those handling OAuth verifications, payment confirmations, or other high-priority actions,” says Yibelo. “Until browsers provide a more robust solution, developers must take proactive steps to mitigate the threat of DoubleClickjacking and protect their users from account takeovers and other malicious activities.”