DoubleClickjacking: A New type of web hacking technique

(paulosyibelo.com)

134 points by shinzub 14 January 2025 | 69 comments

Comments

janmo 6 minutes ago
There is also a technique where they ask you to press: Win + R + CRTL + V + ENTER to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

steven_noble 6 minutes ago
The article’s headline says it’s a new technique. The article’s body does not really say this.
denuoweb 11 minutes ago
Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.
maxrmk 9 hours ago
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
joshfraser 6 hours ago
Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

efortis 14 January 2025
I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })
cryptonector 59 minutes ago
And this is a great reason to us Firefox's containers feature.
lapcat 1 hour ago
It appears that you can replace double-click with command-click, and listen for keydown rather than mousedown.
jmull3n 1 hour ago
This would be super effective as a form submit button that doesn’t respond, tricking the user into rage clicking
sharpshadow 10 hours ago
New fear unlocked lazy cookie consent banners.
Dwedit 4 hours ago
In other words, a social engineering attack to trick people into authorizing something they did not want to authorize.

Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...

Vortigaunt 7 hours ago
Thankfully this shouldn't become a large problem, because websites simply don't load that quick
gwbas1c 8 hours ago
I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

yellow_lead 10 hours ago
Am I mistaken or does this require the user to allow pop-ups?
gnabgib 14 January 2025
Title: DoubleClickjacking: A New Era of UI Redressing
krunck 10 hours ago
Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.
bangaladore 9 hours ago
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
IshKebab 11 hours ago
Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.