A new and “extremely rampant” cyberthreat has emerged that involves exploiting mouse double-click timing to bypass protections on web browsers and trick users into authorizing unintended actions such as sharing sensitive data or approving malicious app access, according to cybersecurity expert Paulos Yibelo.
Dubbed “double clickjacking,” the new threat manipulates browser users into unknowingly interacting with sensitive elements, such as login authorizations or account permissions, by seamlessly switching the context of a webpage during a double-click action, according to Yibelo, who detailed the exploit in a recent blog post.
Double clickjacking attacks typically begin with a malicious webpage presenting an innocuous prompt, such as a CAPTCHA or a verification request, asking the user to double-click to proceed. When the user clicks the first time, the attack triggers a new browser window to open while manipulating the original window’s content. In the split second between the user’s first and second clicks, the original content is replaced with sensitive elements like permission requests or account authorization dialogs. The second click interacts with the replaced content, authorizing actions the user never intended to approve.
Double clickjacking is a novel variation of clickjacking, an attack that has been around for years. Clickjacking attacks enable malicious websites to trick users into clicking hidden buttons that they never intended to interact with, giving rise to the risk of unauthorized transactions, data breaches, or control over user accounts.
The original clickjacking attack has been rendered impractical because modern browsers have introduced protections to prevent malicious websites from embedding sensitive content in hidden frames or executing unauthorized actions. However, double clickjacking circumvents these defenses by exploiting the sequence and timing of user interactions, specifically during double-click actions, making it a more sophisticated and dangerous threat.
“While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie,” Yibelo notes. “This technique seemingly affects almost every website, leading to account takeovers on many major platforms.”
Double clickjacking is dangerous for several reasons, according to Yibelo. Not only does it bypass traditional clickjacking protections, it can also attack browser extensions—not just the websites themselves. Yibelo says proof-of-concept attacks have demonstrated how it could exploit popular browser-based crypto wallets to authorize unauthorized web3 transactions. It could also be used to disable VPN extensions, potentially exposing a user’s IP address.
Further, double clickjacking is “extremely rampant,” according to Yibelo, who says that all websites that he has tested are vulnerable to it by default. It also requires minimal user interaction, only requiring the user to double-click as opposed to filling out forms or performing multiple steps.
Yibelo says long-term solutions to guard against double clickjacking exploits would require browser updates and new standards. In the meantime, he recommends that developers use a relatively simple JavaScript approach on their websites that would eliminate the risk of double clickjacking by disabling critical buttons by default unless a gesture like moving the mouse or using the keyboard is detected.
He also urges users to be wary of prompts requiring double-clicks, especially on unfamiliar websites. Keeping browsers and extensions updated ensures that the latest security patches are in place, helping reducing vulnerabilities to exploits. Also, using anti-malware and security tools can help detect and block suspicious behavior in real time.
From The Epoch Times