A new clickjacking technique, DoubleClickjacking, abuses double clicks to hijack accounts by evading existing security measures — gets people to authorise sensitive actions without their knowledge.
Clickjacking occurs when attackers use a malicious webpage with hidden or disguised elements to deceive users into clicking on the malicious elements. The attack technique, also known as UI redressing, overlays a genuine webpage in a hidden iframe developed by the threat actors. It tempts users to click a link or button by displaying a reward or picture.
When the user clicks on the page, they do so on the hidden iframe, which executes malicious actions or sequences such as authorisation of an OAuth application or accepting a multi-factor authentication request. However, developers of web browsers have previously introduced new features that prevent such attacks, including not allowing cookies to be delivered across websites and security restrictions preventing iframes from being created on websites.
DoubleClickjacking was uncovered by cybersecurity expert Paulos Yibelo, who abuses the timing of double-clicking to execute sensitive actions on webpages. Attackers will create a webpage with a seemingly harmless button to act to perform the attack scenario. For example, the website could have a, “Click here” button to receive a reward or view a movie or video.
If the visitor clicks the button, a new window that covers the original site will open, with a new task, such as completing a captcha, to proceed. While the user is performing the actions, the JavaScript on the original page will be changed to a malicious site created by the threat actors.
The captcha on the new window will prompt the visitor to double-click to solve it. When the first click is detected, it will close the captcha overlay, leading the second click to land on the previously hidden website. By clicking on the exposed button, the user could be tricked into authorising the installation of a plugin, an OAuth application connection to their account, or even completing an MFA prompt.
It bypasses current security measures against clickjacking using a different site instead of an overlayed iframe. The attack affects many sites to take over Shopify, Slack and Salesforce accounts. Yibelo shared demonstration videos utilising the method to take over such accounts.
The attack method could be used for browser extensions as well. Yibelo said, “For example, I have made proof of concepts to top browser crypto wallets that use this technique to authorise web3 transactions & dApps or disabling VPN to expose IP, e.t.c.”
The security expert provided a JavaScript to mitigate DoubleClickjacking by adding it to the webpages to disable buttons till a gesture is performed. It prevents double-clicks from automatically clicking on an authorisation button. An HTTP header limiting or blocking rapid context-switching between windows during double clicks can also prevent the attack.
In the News: Over 3M+ POP3/IMAP email servers lack TLS, risking interception