This could be mitigated by solving a longstanding UX issue: UI elements changing just before you click or tap.
Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.
The idea here is simple: get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button.
I'm a little skeptical that this is a real exploit.
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
people who write search result UIs that update/rearrange whilst you're trying to select something have known about the general class of bait-and-switch click vulnerability for years
I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?
I clicked on a bad link a few months ago. I can't believe I fell for it. I've disabled javascript by default in my browser and only enable it for websites that I trust. It is painful for some websites that redirect a lot.
What are you doing to reduce your chances of running bad javascript code?
Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
DoubleClickjacking: A New type of web hacking technique
(paulosyibelo.com)237 points by shinzub 14 January 2025 | 100 comments
Comments
This will install malware code that was put in the clipboard by using javascript.
Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.
So I'd try adding a small timeout when the tab is visible:
https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...
What are you doing to reduce your chances of running bad javascript code?
Also i wonder if the suggested mitigation can somehow be worked around by somehow preloading the page into the bfcache.