DoubleClickjacking: A New type of web hacking technique

(paulosyibelo.com)

237 points by shinzub 14 January 2025 | 100 comments

Comments

janmo 18 January 2025
There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

grokblah 18 January 2025
This could be mitigated by solving a longstanding UX issue: UI elements changing just before you click or tap.

Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.

maxrmk 17 January 2025
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
efortis 14 January 2025
I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })
joshfraser 17 January 2025
Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

nneonneo 18 January 2025
The idea here is simple: get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button.
gwbas1c 17 January 2025
I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

inopinatus 18 January 2025
people who write search result UIs that update/rearrange whilst you're trying to select something have known about the general class of bait-and-switch click vulnerability for years
Vortigaunt 17 January 2025
Thankfully this shouldn't become a large problem, because websites simply don't load that quick
alp1n3_eth 18 January 2025
I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?
sharpshadow 17 January 2025
New fear unlocked lazy cookie consent banners.
steven_noble 18 January 2025
The article’s headline says it’s a new technique. The article’s body does not really say this.
cryptonector 18 January 2025
And this is a great reason to us Firefox's containers feature.
Dwedit 18 January 2025
In other words, a social engineering attack to trick people into authorizing something they did not want to authorize.

Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...

swframe2 18 January 2025
I clicked on a bad link a few months ago. I can't believe I fell for it. I've disabled javascript by default in my browser and only enable it for websites that I trust. It is painful for some websites that redirect a lot.

What are you doing to reduce your chances of running bad javascript code?

jmull3n 18 January 2025
This would be super effective as a form submit button that doesn’t respond, tricking the user into rage clicking
bawolff 18 January 2025
That's clever, but i feel like it would be difficult to pull off in practise.

Also i wonder if the suggested mitigation can somehow be worked around by somehow preloading the page into the bfcache.

yellow_lead 17 January 2025
Am I mistaken or does this require the user to allow pop-ups?
chrismarlow9 18 January 2025
You can use similar tricks to sniff auto fill data with arrow keys, a fake pacman game, and hidden form fields using focus.
pinoy420 18 January 2025
Genius. I am gonna use this until browsers do a permanent prompt “are you sure you want to close this window?”
lapcat 18 January 2025
It appears that you can replace double-click with command-click, and listen for keydown rather than mousedown.
gnabgib 14 January 2025
Title: DoubleClickjacking: A New Era of UI Redressing
denuoweb 18 January 2025
Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.
krunck 17 January 2025
Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.
bangaladore 17 January 2025
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
IshKebab 17 January 2025
Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.