Emerging "DoubleClickjacking" Attack Threatens Web Security

A newly identified vulnerability, labeled “DoubleClickjacking” by security researcher Paulos Yibelo, exploits a timing-based double-click process to bypass clickjacking protections on prominent websites.

DoubleClickjacking builds on traditional clickjacking, where users are tricked into clicking on disguised web elements that deploy malware or steal data. This variation leverages the gap between two clicks in a double-click action to sidestep defenses like X-Frame-Options headers, SameSite cookies, and Content Security Policy (CSP).

The attack includes a multi-step process. First, a compromised site opens a new browser window, often camouflaged as a CAPTCHA or similar harmless element. During this time, the original window that contained site content is changed to a malicious page — such as one that approves an unauthorized OAuth application.

In the new window containing the CAPTCHA or other harmless element, the user is asked to double click. The first click instantly closes the new window, leaving the second click to land on a now-exposed malicious link or button. As such, the user is tricked into clicking something they shouldn’t have.

Yibelo suggests that website owners implement client-side defenses to mitigate the vulnerability. For example, critical buttons should remain disabled until a mouse gesture or key press is recognized. Some platforms, like Dropbox, already utilize such measures. However, broader solutions will require browser vendors to establish new standards akin to X-Frame-Options’ protections against iframe-based Clickjacking.

DoubleClickjacking is not Yibelo’s first discovery in this domain. He also discovered another clickjacking variant last year, called cross-window forgery or gesture-jacking, where users could be manipulated into executing malicious actions by holding down the Enter or Space keys. This vulnerability was demonstrated on platforms like Coinbase and Yahoo!, where attackers could exploit OAuth applications to take over accounts.

As web applications evolve, so do the threats against them. DoubleClickjacking highlights the need for innovative defenses to address increasingly sophisticated exploits.