Your security headers have no power here

Everyone loves a highly technical Mr. Robot exploit, but simple attacks can be just as severe. Paulos Yibelo, known for his creativity in client-side web exploits, recently unleashed a new UI attack that can bypass all modern clickjacking defenses, posing a serious threat to web security. 

This new attack may not be as appealing as a new log4j vulnerability, but the result is still critical. Remember, an attacker’s primary goal is a single (or double) action account takeover.

Here, we focus on why this new attack is much more dangerous than clickjacking, while being just as trivial.

Modern web browsers have greatly mitigated the risk of clickjacking. “Samesite: lax” is now a default, preventing cross-site cookie transmission when a site is framed. Other defenses include X-Frame-Options Header, Content Security Policy (CSP), and JS defenses for frame busting. 

Double-clickjacking bypasses ALL of these defenses, affects nearly every website, and works with any browser. 

A simple vulnerability scanner will not detect this vulnerability. It is a “timing-based” attack, which means it exploits the specific timing of user actions and system responses to carry out the attack. This involves elements of OAuth business logic and user education, and a simple vulnerability scan will not detect or solve any of those three elements.                                                                  

To detect this vulnerability, you need a team to manually examine your applications and systems. This hands-on approach is crucial, giving you a real-world test with an attacker’s eye.

What is DoubleClickjacking?

DoubleClickjacking is an innovative take on the classic clickjacking technique, where attackers trick users into clicking on something other than what they intended. However, unlike its single-click predecessor, DoubleClickjacking uses a double-click sequence to bypass these protections. This makes it particularly insidious because it leverages a common user behavior in an unexpected way.

How Does DoubleClickjacking Work?

Initial Interaction: An attacker crafts a web page with an innocuous-looking button or element that prompts the user to double-click. 

What causes users to blindly perform innocent actions? CAPTCHA. Think of something like, “Double click here to prove you aren’t a robot.” 

First Click: Upon the first click (mousedown event), the attacker’s script quickly manipulates the window context. This might involve opening a new window or redirecting the current one to a sensitive page, like an OAuth authorization flow.

Second Click: Before the second click completes (onclick event), the original top window is swapped with something malicious. Thus, the second click, intended for one action, performs another potentially sensitive action. A common case would be a single click OAuth button granting permissions to a targeted service. Remember, the POC will show the redirects, and it will be obvious, but the second click will perform authentication without notifying the user. It is intentionally obvious in the demo below, but you will not see the second click in a real attack. That will all be hidden.

This method hijacks the user’s double-click, using the slight delay between mousedown and mouseup to switch out UI elements, allowing for actions like granting permissions to malicious applications or changing account settings without the user’s awareness. In the demo, the user would grant all of their salesforce permissions to the attacker.

Why Traditional Defenses Fail

No iframe Dependency: Unlike traditional clickjacking, which often uses iframes to overlay elements, DoubleClickjacking directly manipulates the top-level window, making X-Frame-Options headers useless.

SameSite Cookies Bypassed: Since the attack doesn’t forward cookies or rely on cross-site scripting, SameSite cookie policies do not protect against it.

Timing Exploit: The attack exploits the timing difference between browser events, something not accounted for in most current security measures and not easily tested by vulnerability scanners.

The Implications:

While this attack can rely on the user landing on the attacker’s malicious site, it doesn’t require it. This attack could be step 2 when achieving a simple HTML, XSS, or JS injection. A vuln-scanner might pick up a low-severity HTML injection, but that can quickly escalate to a high-severity account takeover when combined with DoubleClickjacking. Even browser extensions, including those for web3 transactions or VPNs, are at risk. The implications of this attack are far-reaching, potentially compromising sensitive data and user accounts.

Mitigation Strategies:

Since this is a new attack vector, there is no simple “doubleClick:strict” header (yet). However, there are several tactics to protect yourself. 

Manual Testing: Automated scanners often miss timing-based attacks, so include manual penetration tests in your security program. A skilled tester can simulate a real DoubleClickjacking scenario and spot subtle business logic weaknesses that scanners will miss. If the human element is being exploited, a human element will be required to find the exploit. 

Review OAuth Flows: Carefully audit any OAuth implementations. For high-risk actions (like granting OAuth permissions), add a quick confirmation prompt or a separate “Are you sure?” screen. That extra interaction breaks the timing chain exploited by DoubleClickjacking.

Client-Side Defenses: This is the most targeted and custom defense. Implement scripts that disable critical buttons or actions until a clear user gesture is detected (e.g., mouse movement or key press). 

POC:

This code ensures that on devices supporting hover (i.e., typical desktop/laptop environments), no form can be submitted immediately upon load or via automated scripts. The user must perform a conscious action—mouse movement or key navigation—before the buttons are functional again. This helps break the chain for certain UI redressing and timing-based exploits.

User Education: Yes, it always seems to go back to the user. This is another example of a new style of attack that could catch many users off guard. Educate your users on the dangers of double-clicking unfamiliar prompts.

Conclusion:

DoubleClickjacking represents a shift in how attackers can manipulate user interfaces to bypass security. It is another crafty bypass to keep developers on their toes and think beyond traditional security paradigms. With attack vectors constantly emerging, development teams struggle to balance new threats while juggling sprint goals. 

AccessIT Group provides the expertise needed to safeguard your applications, ensuring security doesn’t become a roadblock to innovation. We tailor security services and solutions to your unique business needs, allowing your team to stay focused on delivering exceptional software. With our specialists at the forefront of cybersecurity, we help your organization stay resilient in an ever-evolving threat landscape.

By: David Gebert – Security Engineer – OSCP | SSCP | VHL+

David is a Penetration Tester in the Risk Advisory Services practice at AccessIT Group (AITG). With a background in DevOps and security engineering from Symantec and Toyota Financial Services, he leverages a unique blend of expertise in his role, identifying vulnerabilities and securing systems against evolving threats. Certified in OSCP, SSCP, VHL+, eJPT, and Sec+, David stays ahead by engaging with the bug bounty community and mastering the latest web application hacking techniques. Passionate about continuous learning, he tackles Capture The Flag (CTF) challenges and pursues new certifications to sharpen his skills. His hands-on approach and dedication to penetration testing make him a valued voice in cybersecurity.

More Blog