Threat hunters have revealed a new “widespread timing-based vulnerability class” that exploits a double-click sequence to enable clickjacking attacks and account takeovers on nearly all major websites.
The method has been named DoubleClickjacking by security expert Paulos Yibelo.
“Instead of depending on a single click, it utilizes a double-click sequence,” Yibelo explained. “Although it may seem like a minor alteration, it introduces new UI manipulation attacks that circumvent all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie.”
Clickjacking, also known as UI redressing, is an attack method where users are deceived into clicking on a seemingly harmless web element (e.g., a button), resulting in malware deployment or sensitive data exfiltration.
DoubleClickjacking is a variation of this concept that exploits the time gap between the beginning of a click and the end of the second click to evade security measures and hijack accounts with minimal user interaction.
It entails the following steps –
- The user lands on a malicious site that either opens a new browser window (or tab) without user intervention or upon clicking a button.
- The new window, which may resemble something innocuous like a CAPTCHA verification, prompts the user to double-click to proceed.
- As the double-click is in progress, the parent site uses JavaScript’s Window Location object to redirect silently to a malicious page (e.g., approving a malicious OAuth application).
- Simultaneously, the top window closes, allowing the user to unknowingly grant access by approving the permission confirmation dialog.
“Most web applications and frameworks assume that only a single forced click poses a risk,” Yibelo noted. “DoubleClickjacking introduces a layer that many defenses were not designed to handle. Techniques like X-Frame-Options, SameSite cookies, or CSP are ineffective against this attack.”
Website owners can mitigate this vulnerability class using a client-side method that deactivates critical buttons by default unless a mouse gesture or key press is detected. Services like Dropbox already implement such preventive measures.
For long-term solutions, it is suggested that browser providers adopt new standards similar to X-Frame-Options to counter double-click exploitation.
“DoubleClickjacking is a variation of a well-known attack class,” Yibelo highlighted. “By exploiting the timing between clicks, attackers can seamlessly swap benign UI elements for sensitive ones in an instant.”
This revelation comes almost a year after the researcher exhibited another clickjacking variant known as cross window forgery (also called gesture-jacking) that relies on convincing a victim to press or hold down the Enter key or Space bar on a malicious site to trigger a harmful action.
On platforms like Coinbase and Yahoo!, this method could be exploited to achieve an account takeover “if a logged-in victim visits an attacker site and presses the Enter/Space key.”
“This is feasible because both sites allow a potential attacker to create an OAuth application with broad scope to access their API, and they set a static and/or predictable ‘ID’ value to the ‘Allow/Authorize’ button used to authorize the application in the victim’s account.”
