A new attack technique threatens online orders

marry 09.01.2025, 13:00 PM

Cyber ​​security expert Paulos Jibelo demonstrated a new attack technique that could significantly compromise the security of online accounts. It is an attack called “DoubleClickjacking”, which uses the user’s double clicks to bypass security mechanisms.

The risks associated with DoubleClickjacking stem from how it tricks users into performing sensitive actions, such as authorizing OAuth applications, confirming Multi-Factor Authentication (MFA) queries, or even installing web browser extensions.

Traditional Clickjacking attacks that have been around for over a decade usually rely on hidden iframes to manipulate user clicks. This means that malicious websites can trick users into clicking on hidden buttons that they did not intend to click.

However, DoubleClickjacking uses a unique mechanism that bypasses the protections associated with iframes, focusing instead on a mix of timing and user interaction.

How does DoubleClickjacking work?

A typical DoubleClickjacking attack includes the following:

Bait: The victim lands on a malicious website that contains a button with a tempting bait, such as “Click here for your reward”;

Multi-layered deception: Clicking a button opens a new overlay window on the victim’s screen, prompting them to perform a seemingly harmless action such as solving a captcha;

In the background, JavaScript dynamically changes the base page to a legitimate website, aligning buttons or links with the victim’s cursor;

Exploitation: The victim’s second click is on the now-visible sensitive button, which triggers actions such as granting permissions or authorizing transactions;

This manipulation bypasses traditional clickjacking defenses. Because the exploit involves direct user interaction with legitimate sites, it effectively bypasses cookie protection and cross-site request restrictions.

To make matters worse, the attack is not limited to computers or websites but can also affect browser extensions and mobile phones.

Unfortunately, the current defense is weak. Time-based exploits still lack solid defense mechanisms, although Jibelo has proposed several proactive measures that can counter this new threat, including JavaScript protection, i.e. implementing scripts to disable sensitive buttons until explicit user movements, such as mouse movements, are detected. , which would reduce the probability of accidental clicks on sensitive elements.

Photo: Pixabay