DoubleClickjacking is a new variation of the Clickjacking attack that allows attackers to trick users into authorizing sensitive actions by double-clicking and bypassing existing protections against this type of attack.
Clickjacking itself is better known as UI redressing, which is when a threat actor creates a malicious web page that tricks visitors into clicking on hidden or disguised web page elements.
The attacker creates a web page and overlays a legitimate web page in a hidden iframe on top of it. This attacker-created webpage is designed to align its buttons and links with the links and buttons on the hidden iframe.
The attackers then use their web pages to entice users to click on a link or button, such as to win a prize or view a picture.
However, when users or visitors click on the page, they are actually clicking on links and buttons on hidden iframes (legitimate sites), which can potentially perform malicious actions, such as authorizing OAuth applications to connect to their accounts or receiving MFA requests.
Over the years, web browser developers introduced new features that prevented most of these attacks, such as not allowing cookies to be sent across sites or introducing security restrictions (X-Frame-Options or frame-ancestors) on whether sites can be framed.
Cybersecurity expert Paulos Yibelo has introduced a new web attack called DoubleClickjacking that exploits the timing of double mouse clicks to trick users into performing sensitive actions on websites.
In this attack scenario, the threat actor will create a website that displays a seemingly harmless button with a lure, such as ‘click here’ to see a gift or watch a film.
When the visitor clicks the button, a new window is created that covers the original page and includes other lures, such as the need to solve a captcha to proceed. In the background, JavaScript on the original page will transform the page into a legitimate site, and the attacker wants to trick the user into performing an action.
The captcha in the new window is overlaid with a special code script, prompting the visitor to double-click on the page to solve the captcha. However, this page listens for mousedown events, and when detected, quickly closes the captcha overlay, causing the second click to land on the authorization button or link now displayed on the previously hidden legitimate page.
This causes the user to mistakenly click on the open button, potentially authorizing a plugin to be installed, an OAuth application to connect to their account, or a multi-factor authentication request to be acknowledged.
DoubleClickjacking attack flow
Source: Yibelo
What makes this so dangerous is that it bypasses all current clickjacking defenses because it doesn’t use an iframe; it doesn’t try to forward cookies to another domain. Instead, this action happens directly on a legitimate site that is not protected.
Yibelo says that this attack impacts almost all sites, sharing a demonstration video that uses DoubleClickjacking to take over Shopify, Slack, and Salesforce accounts.
How it Looks
Example: Salesforce Account Takeover
The expert also warned that this attack is not limited to web pages, as it can be used for browser extensions as well.
The expert also warns that these attacks are not limited to web pages, as they can be used for browser extensions as well.
‘For example, I have created a proof of concept for a top browser crypto wallet that uses this technique to authorize web3 & dApps transactions or disable VPN to expose IPs, etc.,’ Yibelo explained.
‘This can also be done on mobile phones by asking the target to ‘DoubleTap’.’’
To protect against this type of attack, Yibello shared a JavaScript, which can be added to web pages to disable sensitive buttons until a gesture is made. This will prevent double-clicking from automatically clicking the authorization button when removing the attacker’s overlay.
The expert also suggests a potential HTTP header that restricts or blocks rapid context switching between windows during a double-click sequence.
Source:
https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
https://www.bleepingcomputer.com/news/security/new-doubleclickjacking-attack-exploits-double-clicks-to-hijack-accounts
https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html
https://www.bleepingcomputer.com/news/security/security-plugin-flaw-in-millions-of-wordpress-sites-gives-admin-access/
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-palo-alto-networks-bug-exploited-in-attacks