A new web hacking technique, DoubleClickjacking, is making waves in the cybersecurity world, and for a good reason. This cunning method is not just a clever twist on traditional clickjacking; it’s a game-changer. By exploiting the brief interval between clicks, attackers can stealthily replace harmless UI elements with sensitive ones in an instant, compromising user accounts with minimal interaction. Paulos Yibelo recently wrote about doubleclickjacking.
What Is DoubleClickjacking?
DoubleClickjacking is essentially a sophisticated extension of classic clickjacking. The attacker takes advantage of the split-second timing between the first and second clicks. In a typical scenario, a user is tricked into opening a window under the guise of a legitimate action, like a captcha verification. The first click opens the window, and just as the second click is about to land, the attacker swaps in a sensitive UI element, such as an OAuth authorization button. The result? The user unwittingly grants permissions or authorizes actions they never intended to.
How It Works
Image above courtesy of Paulos Yibelos.
DoubleClickjacking takes advantage of a timing and event-order flaw:
- The attacker sets up an initial webpage with a button that either opens a new window or does so automatically without user input.
- When the user clicks this button:
- A new window appears on top, prompting the user to “double-click.”
- This window immediately uses
window.opener.location
to redirect the parent window to a target page. - The parent window now displays the target page (e.g., an OAuth authorization), while the top window still shows the double-click prompt.
- As the user follows the double-click instruction:
- The first click (triggered on
mousedown
) causes the top window to close. - The second click hits the now-visible authorization button in the parent window.
- The user unknowingly grants the attacker’s application access to their account with extensive permissions.
- The first click (triggered on
Simply put, DoubleClickjacking exploits the tiny interval between the start of the first click and the end of the second click across multiple windows, without using any pop-under techniques. It’s a deceptive trick. Attackers initiate (or open) a new window under the pretense of a legitimate action—like a “captcha verification.” Just before the second click happens, the malicious site swaps in a sensitive window from the same session, such as an OAuth authorization prompt, effectively capturing the second click. The most reliable method to achieve this swap uses window.open.location
.
A critical aspect of this attack is manipulating the timing difference between mousedown
and onclick
events, favoring mousedown
over click
. The mousedown
event fires immediately when the mouse button is pressed, whereas the click
event waits for the button release, creating a slight delay that can be exploited. Interestingly, this method works regardless of how fast or slow the user double-clicks, as the mousedown
event handler allows for exploitation across all speeds of double-clicking.
The Scope of the Threat
This technique isn’t just a theoretical risk. It has been used to take over accounts on major platforms, including Salesforce, Slack, and Metamask Wallet. These high-profile incidents highlight the method’s potential to bypass traditional clickjacking defenses like X-Frame-Options and SameSite cookies, which were never designed to handle such a nuanced attack.
Why Is DoubleClickjacking So Dangerous?
-
- Resouses Overwhelmed: Traditional protections like X-Frame-Options, SameSite cookies, and Content Security Policy (CSP) were built to counter single-click threats. DoubleClickjacking sidesteps these, exploiting gaps they weren’t designed to cover.
- Beyond Websites: The danger isn’t limited to web pages. Browser extensions are vulnerable too. For instance, top crypto wallets can be tricked into authorizing web3 transactions or disabling VPNs, exposing users’ IP addresses. On mobile devices, a simple “DoubleTap” can initiate these attacks.
- Expanding Attack Surface: A double-click on a malicious site can unleash a torrent of consequences across various platforms. This technique opens doors to new attack vectors previously unconsidered.
- Widespread Vulnerability: Based on extensive testing, it’s clear that many sites, unless they’ve specifically addressed this flaw, remain open to exploitation. While some have taken corrective action, others have ignored the risk, leaving users exposed.
- Minimal User Action Needed: DoubleClickjacking’s simplicity is its strength. It only requires the user to double-click, bypassing the need for complex actions or forms. This ease of execution makes it a particularly insidious threat.
The Mechanics of the Attack
The process exploits the difference between the mousedown and onclick events. The mousedown event fires as soon as the mouse button is pressed, while the click event waits for the button to be released. This slight delay provides a window of opportunity for attackers to swap in the malicious content.
Real-World Implications
Consider this: you double-click to authorize a seemingly benign app, but behind the scenes, your click has authorized a malicious application with full access to your account. By the time you realize something’s wrong, the damage is done. The attacker could have already extracted sensitive data, altered account settings, or transferred funds.
What Can Be Done?
Web developers and cybersecurity experts need to rethink their defense strategies to counter this emerging threat. Traditional methods like CSP, X-Frame-Options, and SameSite cookies won’t cut it anymore. More sophisticated event-handling mechanisms and user interaction validations are required to detect and block these subtle, yet devastating, attacks.
As users, staying informed and vigilant is our best defense. Understanding the risks of DoubleClickjacking and being cautious about where and how we click can help mitigate the threat. But ultimately, the onus is on the tech giants and web developers to adapt and fortify their systems against this insidious new technique.
DoubleClickjacking is not just another buzzword in cybersecurity; it’s a clear and present danger. As this technique gains traction, its potential to cause widespread harm grows. Staying one step ahead requires awareness, adaptation, and a proactive approach to web security. Let’s hope the industry is ready to rise to the challenge.