Summary:
A new and sophisticated variation of clickjacking attacks, termed DoubleClickjacking, has been identified by cybersecurity expert Paulos Yibelo. This novel technique exploits the timing of double-click mouse actions to deceive users into performing sensitive operations on legitimate websites. Unlike traditional clickjacking, which uses hidden iframes to redirect clicks, DoubleClickjacking bypasses established protections such as iframe restrictions, cross-site cookie policies, and modern browser security features like X-Frame-Options and frame-ancestors directives.

The attack begins with a malicious webpage designed to lure users with enticing prompts, such as "Click here to claim your reward" or "Watch this video." Upon the initial click, a secondary overlay window appears, often posing as a CAPTCHA challenge, while the original page in the background silently redirects to a legitimate website. As the user interacts with the overlay, the malicious script detects the first mouse click and immediately closes the overlay window. The user’s second click, originally intended to interact with the CAPTCHA, now lands on a critical button or link on the legitimate site. This could authorize OAuth applications, approve multi-factor authentication requests, or enable potentially malicious browser extensions. The attackers effectively use this technique to hijack sensitive processes without the user’s awareness.


Security Officer Comments:
DoubleClickjacking is particularly alarming because it circumvents all existing clickjacking defenses. Unlike traditional attacks, it does not rely on iframes or cross-site data transfer, making it exceptionally difficult to detect or mitigate using current security measures. Yibelo has demonstrated this attack on major platforms, highlighting its potential to compromise high-value accounts. Moreover, the technique is not limited to web pages; it has also been used to target browser extensions, cryptocurrency wallets, and mobile devices, where the interaction is facilitated through "DoubleTap" gestures.

Suggested Corrections:
To protect against this type of attack, Yibello shared JavaScript, which could be added to webpages to disable sensitive buttons until a gesture is made. This will prevent the double-click from automatically clicking on the authorization button when removing the attacker's overlay. The researcher also suggests a potential HTTP header that limits or blocks rapid context-switching between windows during a double-click sequence.

Link(s):
https://www.bleepingcomputer.com/ne...ck-exploits-double-clicks-to-hijack-accounts/