Pierluigi Paganini January 02, 2025

The “DoubleClickjacking” exploit bypasses protections on major websites, using a double-click sequence for clickjacking and account takeover attacks.

DoubleClickjacking is a technique that allows attackers to bypass protections on major websites by leveraging a double-click sequence.

Attackers can exploit the technique to facilitate clickjacking attacks and account takeovers on almost all major websites.

Clickjacking attacks trick users into unintended clicks, this practice has declined as modern browsers enforce “SameSite: Lax” cookies, blocking cross-site authentication.

DoubleClickjacking, exploiting double-click sequences, bypasses clickjacking protections like X-Frame-Options and SameSite cookies, potentially allowing platform account takeovers.

“DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie.” Paulos Yibelo wrote. “This technique seemingly affects almost every website, leading to account takeovers on many major platforms.”

DoubleClickjacking exploits timing differences between mousedown and onclick events to hijack user actions. By swiftly swapping windows during a double-click, attackers redirect clicks to sensitive targets, like OAuth prompts, without relying on popunder tricks.

Below is the description of the DoubleClickjacking technique:

• An attacker starts by opening a new window through a button or automatically on a webpage.
• Clicking the button opens a new window prompting a double-click, while the parent window is redirected to the target page (e.g., OAuth authorization).
• The double-click closes the top window and unintentionally triggers authorization on the parent window, granting the attacker access with arbitrary scope.

DoubleClickjacking enables attackers to trick users into authorizing malicious apps via OAuth, often leading to immediate account takeovers. It can also manipulate users into making unauthorized account changes, such as altering security settings or confirming transactions.

The researcher published a Proof of Concept (PoC) Code for the attack along with a series of video PoC that demonstrates the attack.

To mitigate DoubleClickjacking, administrators can disable critical buttons until a mouse gesture or key press is detected. Other solutions include browser vendors adopting new standards like X-Frame-Options for protection.

“DoubleClickjacking is a sleight of hand around on a well-known attack class.” concludes the post. “By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.  Developers and security teams should:

• Tighten their control over embedded or opener-based windows.
• Be vigilant about all forms of clickjacking—even multi-click patterns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)