New DoubleClickjacking Hack Bypasses Website Security Protections

January 8, 2025

New DoubleClickjacking Hack Bypasses Website Security Protections

A novel exploit, “DoubleClickjacking,” exposes vulnerabilities in major websites, bypassing clickjacking defenses and enabling account takeovers. Ravie Lakshmanan, reporting in The Hacker News, explains that the technique manipulates a double-click sequence to trick users into unknowingly approving malicious actions.

Clickjacking, also known as UI redressing, deceives users into performing unintended actions on a malicious web page, such as clicking buttons that execute harmful commands. The technique creates significant risks for website security.

Protections like X-Frame Options and SameSite cookies aim to mitigate these attacks. However, DoubleClickjacking, discovered by security researcher Paulos Yibelo, builds on this concept by exploiting the timing gap between two clicks.

DoubleClickjacking involves redirecting users during a double-click interaction. When a user interacts with an attacker-controlled site, a new browser window mimics a legitimate element, such as a CAPTCHA.

During the second click, the attacker exploits JavaScript’s Window Location object to redirect the user to a malicious page while closing the original window. This process enables the seamless approval of malicious OAuth applications, granting attackers unauthorized access.

Existing defenses, including X-Frame Options, SameSite cookies, and Content Security Policy (CSP), fail to prevent this sophisticated timing-based exploit.

Solutions include disabling critical UI elements unless user input, such as a mouse gesture or key press, is detected. Browser vendors are also encouraged to develop advanced standards to address this emerging threat.

Commercial websites face serious risks, including regulatory violations, if their confidential data or customers’ information is stolen via such exploits. For law firms, unauthorized access to sensitive files or client accounts could lead to breaches of attorney-client privilege.

Firms should collaborate with IT teams to ensure their websites and applications are fortified against DoubleClickjacking. Proactive measures such as implementing enhanced UI protections, adopting client-side mitigations, and following emerging browser security standards are essential to safeguarding confidential data.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top