DoubleClickjacking Exploit Threatens Major Websites’ Security

A new exploit named DoubleClickjacking exposes vulnerabilities in major websites, allowing attackers to bypass existing clickjacking protections. This attack uses a double-click sequence to perform malicious actions, including account takeovers, with minimal user interaction.

Unlike traditional clickjacking, which tricks users into clicking deceptive elements, DoubleClickjacking exploits the gap between the first and second clicks. This timing-based manipulation bypasses defenses such as the X-Frame-Options header and SameSite cookie policies. The attack relies on opening a new browser window that mimics a legitimate prompt, like CAPTCHA verification.

The sequence works as follows: A user visits an attacker-controlled website. A fake window or tab prompts the user to double-click. During the double-click process, the attacker uses JavaScript to redirect the parent window to a malicious page. This allows the attacker to approve sensitive actions, like authorizing a malicious OAuth application, without the user’s awareness.

Most current web frameworks are designed to prevent single-click exploits but fail to address timing-based attacks like DoubleClickjacking. A researcher explained, “This exploit manipulates event timing to swap harmless UI elements with sensitive ones instantly.”

Some websites have already implemented client-side measures to prevent such attacks. For instance, critical buttons remain inactive unless triggered by genuine user gestures. However, a broader solution requires browser vendors to introduce new security standards.

This exploit builds on previous research that demonstrated another variation called cross-window forgery. In that case, victims were tricked into holding down a key, such as Enter or Space, to execute harmful actions. Popular websites like Coinbase and Yahoo! were found vulnerable to this method.

Preventing DoubleClickjacking Exploits

To protect against DoubleClickjacking, website owners should implement client-side defenses. For example, disable critical buttons by default and activate them only with legitimate user inputs, like mouse gestures or key presses. Additionally, browser developers should consider adopting advanced standards to combat timing-based attacks. Users should stay vigilant by avoiding suspicious links and ensuring their browsers and apps are always updated to the latest versions