Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

Threat hunters have uncovered a new class of vulnerability termed "DoubleClickjacking," which significantly enhances the risk of clickjacking attacks and account takeovers across numerous prominent websites. This technique, identified by security researcher Paulos Yibelo, utilizes a double-click sequence instead of a single click, thereby bypassing conventional clickjacking defenses such as the X-Frame-Options header and SameSite cookies.

In traditional clickjacking attacks, users are misled into clicking on benign-looking elements on a web page, inadvertently activating malware or disclosing sensitive information. DoubleClickjacking capitalizes on the timing between two clicks to circumvent security measures, allowing for potentially harmful actions to be executed with minimal user interaction.

The process operates as follows:

  1. A user navigates to a malicious site that either opens a new tab or prompts interaction through seemingly harmless actions (like completing a CAPTCHA).
  2. To proceed, the user is instructed to double-click.
  3. During this sequence, the new tab can execute JavaScript to redirect the main session to a damaging page, effectively manipulating the user’s approval without their knowledge.
  4. After redirecting, the malicious site closes the initial window, completing the action as if the user has consented.

Yibelo pointed out that most web applications presume the threat to stem from a single click alone, making them ill-equipped to deal with the nuances of DoubleClickjacking. Current defenses cannot protect against the exploit because they do not account for double-click events, which opens up pathways for attackers to replace harmless UI elements with sensitive ones rapidly.

To counter this vulnerability, web developers are encouraged to adopt client-side solutions that require user interaction, such as disabling critical buttons until a mouse gesture or keyboard press is detected. Companies like Dropbox are already implementing such defenses effectively.

Long-term, Yibelo advocates for the development of new standards akin to the X-Frame-Options for browser vendors, specifically aimed at protecting users from double-click exploits.

The report follows Yibelo’s earlier work showcasing another clickjacking variant called cross-window forgery, which exploits user input to take over accounts on platforms like Coinbase and Yahoo! by persuading them to engage with an action on an attacker-controlled site while logged in on the target site. Both techniques highlight the evolving landscape of web security threats and the necessity for robust defenses against them.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x