A researcher has devised a brand new assault technique that leverages double-clicks to focus on customers. Recognized as DoubleClickjacking, these assaults can bypass most current anti-clickjacking measures.
DoubleClickjacking Assault Threatens Most Present Web sites
Safety researcher Paulos Yibelo demonstrated DoubleClickjacking assaults as the brand new menace for many web sites.
Clickjacking has lengthy been a potent menace to customers, enabling attackers to steal knowledge whereas staying below the radar. Nonetheless, with time, sturdy safety measures have been developed to forestall clickjacking assaults. Nonetheless, DoubleClickjacking assaults can bypass most current safety checks, posing a brand new web site menace.
Particularly, these assaults exploit the time distinction between the 2 clicks. Whereas clickjacking entails overlaying websites with attacker-generated home windows to seize customers’ clicks, DoubleClickjacking improvises this system by altering screens from the beginning of the primary click on to the tip of the second click on.
The attacker might show screens with clickbait buttons reminiscent of “click on right here” to carry out an motion, prompting the consumer to double-click. As soon as clicked, the webpage rapidly adjustments to hijack the second click on for the opposite web page. Right here, the actions might embrace any malicious actions to focus on the sufferer consumer, reminiscent of authorizing an attacker’s account integration or bypassing an MFA immediate.
This assault is exclusive and stronger in that it doesn’t move cookies to a different web site however executes immediately on a goal web site. Because it bypasses most current anti-clickjacking strategies, virtually all web sites are susceptible to DoubleClickjacking assaults.
Apart from web sites, this assault additionally works in opposition to browser extensions and cellular purposes (requiring the sufferer to “double faucet” as an alternative).
The researcher shared the next video demonstrating the assault, whereas they shared the PoC of their put up.
Urged Countermeasures
Regardless of all its severity, DoubleClickjacking isn’t a wholly unavoidable assault. The researcher has proposed varied mitigation methods for susceptible web sites and apps to stay secure. These embrace making use of client-side safety by operating scripts to forestall clicks on delicate buttons and implementing iframe-based clickjacking prevention scripts, amongst others.
Tell us your ideas within the feedback.