Hack Reports - Latest Cybersecurity News, Trends & Updates

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Geetansh -

Latest News on DoubleClickjacking Vulnerability 2025

DoubleClickjacking is a sophisticated form of the traditional clickjacking attack that exploits unsuspecting users with a two-click sequence, bypassing existing defenses and leaving websites and user accounts vulnerable to takeover1.

How DoubleClickjacking Works

  1. Initial Setup:

    • An attacker designs a malicious website featuring an innocent-looking button, such as “Double-click to verify you’re not a robot.”

  2. Triggering the Exploit:

    • Upon clicking, a new window opens with a prompt. Simultaneously, the parent window’s content is replaced with a sensitive page, such as an OAuth authorization dialog.
    • The first click closes or alters the top-level window, and the second click interacts with the replaced content, unknowingly authorizing malicious actions1.

Real-World Implications

  • Account Takeovers: Attackers can gain unauthorized access to user accounts.
  • Malicious App Authorization: Permissions are granted to harmful applications, exposing sensitive user data.
  • Critical Account Changes: Attackers may modify settings, disable security features, or initiate financial transactions1.

Affected Platforms

  • Platforms like Salesforce, Slack, and Shopify have been identified as vulnerable to this attack. Additionally, browser extensions such as crypto wallets and VPNs are susceptible, enabling attackers to authorize fraudulent transactions or disable security features1.

Bypassing Existing Protections

  • Traditional safeguards like Content Security Policies (CSP), SameSite cookies, and X-Frame-Options headers are ineffective against DoubleClickjacking1.

Mitigation Strategies

  1. Client-Side Protections:

    • Developers can implement JavaScript-based solutions to prevent unauthorized clicks on sensitive elements.
    • Enhancements to CSP directives to account for context-switching in multi-click scenarios1.

  2. Developer Best Practices:

    • Protect sensitive pages with additional scripts and authentication checks.
    • Limit the use of window.opener to prevent unauthorized navigation changes.
    • Implement stricter controls over embedded content in iframes1.

Comparison with Other Web Security Threats

Cross-Site Request Forgery (CSRF):

  • CSRF attacks deceive users into performing unintended actions by tricking them into submitting a malicious form on a legitimate site. Unlike DoubleClickjacking, CSRF typically involves a single action and relies on the user's session cookies to authenticate the request2.

Conclusion

DoubleClickjacking is a significant threat to web security in 2025, exploiting the timing and sequence of two user clicks to bypass existing defenses. It poses severe risks to platforms relying on OAuth and other sensitive frameworks, including account takeovers and malicious app authorizations. To mitigate this attack, developers must implement robust client-side protections and adhere to best practices in web security.

References

1 Technijian. (2025-01-01). DoubleClickjacking – A New Cyber Threat Exposing Websites 2025. Retrieved from https://technijian.com/cyber-security/doubleclickjacking-the-new-double-click-attack-to-hack-websites-and-take-over-accounts/

2 CSDN Blog. (2025-01-01). 深入探究CSRF 攻击:原理、危害与防范之道. Retrieved from https://blog.csdn.net/m0_60315436/article/details/144807245