Double clickjacking, a cunning evolution of clickjacking attacks, bypasses standard cybersecurity protections by exploiting the timing between clicks. This could potentially give attackers access to your accounts without your knowledge.

At a Glance

• Doubleclickjacking exploits double-click sequences to bypass protections like X-Frame-Options and SameSite cookies that stop traditional clickjacking
• Major platforms, including Salesforce, Slack, and Shopify, have demonstrated vulnerabilities to this attack method
• The technique can lead to account takeovers, unauthorized setting changes, and potential access to sensitive information
• Protecting yourself requires updated browsers, antivirus software, strong passwords, and caution when interacting with unfamiliar websites

How Doubleclickjacking Works

Doubleclickjacking represents a sophisticated evolution of traditional clickjacking methods. Unlike its predecessor, which relies on a single deceptive click, this technique manipulates users into performing a double-click action that triggers unauthorized commands. The attack exploits timing differences between mousedown and onclick events, creating a small but critical window of opportunity where attackers can swap interface elements between your first and second click. This technical sleight-of-hand effectively redirects your second click to a completely different target than what you intended to interact with.

The mechanics involve a malicious website opening a new browser window that prompts a user to double-click on what appears to be a harmless element. During that fraction of a second between clicks, the attacker’s code redirects the parent window to a target page – often an OAuth permission prompt or account settings page. When the user completes their double-click, the second click lands on the newly positioned sensitive element, potentially authorizing account access or changes without the user’s knowledge or consent.

New DoubleClickjacking attack exploits double-clicks to hijack accounts – @LawrenceAbramshttps://t.co/tfFbePpKkxhttps://t.co/tfFbePpKkx

— BleepingComputer (@BleepinComputer) January 2, 2025

Why Traditional Protections Fail

What makes double clickjacking particularly concerning is its ability to circumvent established security measures. Standard clickjacking protections such as X-Frame-Options headers and SameSite cookies were designed to prevent websites from being embedded in frames or iframes, effectively stopping traditional clickjacking attacks. However, doubleclickjacking sidesteps these defenses by exploiting event timing rather than frame embedding. The attack doesn’t require the target site to be framed – instead, it manipulates browser windows and the timing of user interactions.

“Most web apps and frameworks assume that only a single forced click is a risk, DoubleClickjacking adds a layer many defenses were never designed to handle. Methods like X-Frame-Options, SameSite cookies, or CSP cannot defend against this attack.”, says Paulos Yibelo.

Security researcher Paulos Yibelo, who identified and documented this vulnerability, demonstrated successful attacks against major platforms including Salesforce, Slack, and Shopify – all of which rely on OAuth for user authentication. The potential consequences extend beyond these platforms to any service using similar authentication methods, including browser-based cryptocurrency wallets, which could lead to financial theft in addition to data compromise.

New DoubleClickjacking attack exploits double-clicks to hijack accounts https://t.co/2F6Q8JOtFe #Security

— The Cyber Security Hub™ (@TheCyberSecHub) January 2, 2025

Real-World Risks and Consequences

The threats posed by doubleclickjacking are substantial and varied. Account takeovers represent the primary danger, where attackers gain unauthorized access to your online accounts. Once compromised, these accounts can be used for identity theft, data exfiltration, or as launching points for further attacks against your contacts. Settings manipulation is another significant risk, where attackers alter your security settings, email forwarding rules, or account recovery options to maintain persistent access even after password changes.

“Doubleclickjacking is a clever new spin on a classic hacking trick that allows cybercriminals to take control over your device or account, just from a simple double-click.”, says Kurt Knutsson.

The attack is particularly dangerous because of its near invisibility to users. You might simply believe you’re interacting with a legitimate website element when in reality, your second click is activating hidden functions. This could include granting malicious applications OAuth permissions, approving transactions, changing account details, or even allowing access to device hardware like webcams and microphones. The seamless nature of the attack means most users won’t realize they’ve been compromised until they notice unexpected account activity.

Protecting Yourself

While developers and browser makers work on long-term solutions, there are several practical steps you can take to protect yourself from doubleclickjacking attacks. First, exercise caution with double-clicking on unfamiliar websites – when possible, use single clicks or keyboard navigation instead. Keep your browsers and operating systems updated with the latest security patches, as these may include protections against new attack methods. Comprehensive antivirus software can often detect and block malicious websites known to employ these techniques.

Implement strong, unique passwords for each of your accounts, preferably using a password manager to track them. When available, enable two-factor authentication, which provides an additional security layer even if your password is compromised. Be particularly vigilant about permission requests – critically evaluate any prompt asking for access to your accounts or device features. Finally, regularly monitor your account activity for signs of unauthorized access, such as unrecognized logins or settings changes.

“DoubleClickjacking is a twist on a well-known attack class, By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.”, concludes Yibelo.