logo SOS Ransomware
Emergency 24/7

Doubleclickjacking: the new threat of double-click attacks

Cybersecurity threats continue to diversify, and attack techniques are evolving to circumvent the protections in place. Among these new forms of attack, doubleclickjacking stands out for its ability to exploit vulnerabilities in security systems through the double-click of the mouse. While clickjacking was already a formidable method, its variant, doubleclickjacking, recently discovered by Paulos Yibelo, a security engineer at Amazon, could well represent an even greater challenge for developers and network administrators.

Understanding clickjacking

Initially, clickjacking is based on hiding malicious elements behind harmless buttons or links. When users click on what they think is a legitimate element, they are actually activating a hidden action, often for the benefit of hackers. Whether for exfiltrating sensitive data or installing malware, this technique has long been a favorite tool of cybercriminals.

Clickjacking exploits the trust that Internet users place in well-known websites. Attackers embed hidden malicious elements into seemingly innocuous web pages, often using iframes or other techniques to disguise their true nature. When a user interacts with the legitimate content, he or she inadvertently activates the hidden fraudulent elements, which can lead to data theft, the installation of unwanted programs or unauthorized actions.

This technique often involves enticing the user to click on an element that appears innocuous, when in fact it is a hidden link or button that triggers the perverse action. Classic click hijacking attacks are often mitigated by HTTP headers such as X-Frame-Options, which limit the ability of one site to be framed within another, and the SameSite: Lax/Strict attribute for cookies, which limits the transmission of cookies in cross-site contexts. However, as Paulos Yibelo‘s research shows , doubleclickjacking successfully bypasses these defenses.

Doubleclickjacking: how it works and its implications

How doubleclickjacking works

Doubleclickjacking takes advantage of the delay between the first click and the second in a double-click sequence. When a user double-clicks a seemingly innocuous button, the first action triggers the display of an overlay window. This window may display a simple authorization request, such as a CAPTCHA. What happens in the background is far more sinister.

Between the two clicks, the JavaScript script modifies the double-click action to interact with a sensitive element, such as an OAuth authorization confirmation button or a link to a critical accounts page. The result is that the user ends up clicking on something they hadn’t intentionally validated, allowing attackers to exploit this interaction for their own ends.

“One of the surprising aspects of this method is that it doesn’t matter how slow or fast the target double-clicks. Favoring the mousedown event handler allows this phenomenon to be exploited even for the fastest or slowest users.
Paulos Yibelo

Doubleclickjacking in brief: an insidious threat

Doubleclickjacking exploits a tiny time interval between the mousedown (start of the click) and the onclick (end of the click) to perform a rapid window swap. This technique enables attackers to substitute a harmless window with one containing sensitive elements before the user completes the double-click. The user thinks he’s performing a harmless action, when in fact he’s unwittingly authorizing a malicious one.

How does it work?

  1. Initial window: a seemingly innocuous window is opened (e.g. CAPTCHA verification).
  2. Window exchange: before the second click, the harmless window is replaced by a target window, from the same session, containing the malicious elements (e.g. OAuth authorization).
  3. Exploitation of timing: the first click (mousedown) closes the harmless window, revealing the target window.
  4. Malicious second click: the second click, performed by the user, activates the sensitive element in the target window, without the user being aware of it. This action can range from authorizing access to an account to validating a fraudulent payment.
attaque doubleclicjacking
Doubleclickjacking attack sequence – Source Paulos Yibelo

Why is it dangerous?

This technique is particularly dangerous because it enables attackers to :

  • Divert sensitive actions: users can be tricked into authorizing fraudulent third-party applications or performing other security-compromising actions without realizing it. Unlike phishing, which requires more explicit interaction and often a degree of credulity on the part of the victim, doubleclickjacking exploits a technical loophole to act insidiously and automatically.
  • Bypassing existing protections: even websites using clickjacking protections can be vulnerable to these attacks, as double-clickjacking does not rely on the same mechanism.

Double-clickjacking is a serious threat that requires constant vigilance on the part of developers and users alike. Unlike phishing, which relies on social engineering, this attack exploits a technical flaw to cause significant damage.

Doubleclickjacking vs. classic clickjacking: key differences

Although doubleclickjacking is an evolution of classic clickjacking, there are several key distinctions that set them apart.

Classic clickjacking :

  • Mechanism: the attacker integrates an invisible or disguised element on a legitimate web page. When the user clicks on this element, he or she is redirected to a malicious site without knowing it.
  • Protection: browsers have implemented protective measures such as X-Frame-Options and SameSite cookies to limit the risk of clickjacking.

Doubleclickjacking :

  • Mechanism: the attacker exploits a double-click sequence to trick the user. It opens a pop-up window with a seemingly innocuous button. When the user double-clicks on this button, the attacker quickly replaces the window with a sensitive page (such as a login or payment page).
  • Protection: conventional clickjacking protection is not always effective against double-clickjacking. New protection measures are needed, such as client-side scripts to disable sensitive buttons by default.

Case studies and demonstrations

Paulos Yibelo has successfully demonstrated the feasibility of these attacks on popular platforms such as Salesforce, Slack or Shopify. For example, he was able to improperly authorize third-party applications to access users’ accounts or disable critical security settings.

https://www.youtube.com/watch?v=4rGvRRMrD18&embeds_referring_euri=https%3A%2F%2Fwww.paulosyibelo.com%2F&source_ve_path=OTY3MTQ
Example of an attack on a Salesforce account – Source Paulos Yibelo

This technique is not limited to classic web pages. It can also target browser extensions, opening the door to potential compromise of cryptographic wallets, Web applications3 , or even VPN services.

Defenses against doubleclickjacking

Limits of existing protection

Traditional clickjacking protection methods, such as HTTP headers, prove ineffective against doubleclickjacking. Indeed, these defenses are not designed to take into account the nuances of timing and order of events used in this new form of attack.

Without iframes or attempts to transfer cookies between domains, doubleclickjacking evades established detection mechanisms, requiring truly innovative security approaches specific to this threat.

New solutions on offer

To counter doubleclickjacking, it would be necessary to develop new client-side protection scripts. These JavaScript scripts could disable sensitive buttons or critical links by default until more reliable user interactions are detected. Here are some potential approaches:

  • Disabling critical buttons until a valid gesture interaction is detected
  • Enhanced verification of user actions via multiple validation steps
  • Continuous monitoring of user interactions to spot suspicious patterns
  • In the long term, browsers could adopt new standards to limit rapid context switching between windows during a double-click sequence.
  • As a best practice for developers, it is recommended to integrate protection scripts on sensitive pages (authentication, payments, etc.) until integrated solutions are available in browsers.

In addition to technical solutions, increased vigilance on the part of users remains essential. Before validating a double-click, take a split second to carefully examine the screen content, check the website URL and make sure the operation is legitimate. Even if the double-click is an automatic gesture, don’t forget that during this brief moment, a malicious page may replace the legitimate one. Care must be taken to counter this insidious threat, as even the fastest double-click can leave you vulnerable to this type of attack.

In short, doubleclickjacking represents a new frontier in user interface redirection attacks. Its ability to bypass traditional security mechanisms by exploiting double-clicks raises substantial challenges for cybersecurity professionals. It is essential to remain vigilant and implement appropriate defense strategies to effectively protect users against this pernicious threat.

To find out more: DoubleClickjacking: A New Era of UI Redressing (Paulos Yibelo)

Picture of Florent Chassignol
Florent Chassignol

Partager cet article

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 SOS RANSOMWARE & RECOVEO TECHNOLOGY GROUP | Made by Tell It