A researcher has devised a brand new assault technique that leverages double-clicks to focus on customers. Recognized as DoubleClickjacking, these assaults can bypass most current anti-clickjacking measures.
DoubleClickjacking Assault Threatens Most Current Web sites
Safety researcher Paulos Yibelo demonstrated DoubleClickjacking assaults as the brand new menace for many web sites.
Clickjacking has lengthy been a potent menace to customers, enabling attackers to steal information whereas staying beneath the radar. Nevertheless, with time, sturdy safety measures have been developed to stop clickjacking assaults. Nonetheless, DoubleClickjacking assaults can bypass most current safety checks, posing a brand new web site menace.
Particularly, these assaults exploit the time distinction between the 2 clicks. Whereas clickjacking entails overlaying websites with attacker-generated home windows to seize customers’ clicks, DoubleClickjacking improvises this method by altering screens from the beginning of the primary click on to the top of the second click on.
The attacker could show screens with clickbait buttons akin to “click on right here” to carry out an motion, prompting the consumer to double-click. As soon as clicked, the webpage rapidly modifications to hijack the second click on for the opposite web page. Right here, the actions could embrace any malicious actions to focus on the sufferer consumer, akin to authorizing an attacker’s account integration or bypassing an MFA immediate.
This assault is exclusive and stronger in that it doesn’t move cookies to a different web site however executes immediately on a goal web site. Because it bypasses most current anti-clickjacking strategies, virtually all web sites are weak to DoubleClickjacking assaults.
Apart from web sites, this assault additionally works towards browser extensions and cellular functions (requiring the sufferer to “double faucet” as a substitute).
The researcher shared the next video demonstrating the assault, whereas they shared the PoC of their publish.
Prompt Countermeasures
Regardless of all its severity, DoubleClickjacking isn’t a wholly unavoidable assault. The researcher has proposed numerous mitigation methods for weak web sites and apps to stay protected. These embrace making use of client-side safety by working scripts to stop clicks on delicate buttons and implementing iframe-based clickjacking prevention scripts, amongst others.
Tell us your ideas within the feedback.
