Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- Researcher Paulos Yibelo discovers a new attack targeting users
- The attack makes use of fake CAPTCHA notification pages
- Users are encouraged to “double click” as the attacker navigates to a malicious page
A new technique is helping attackers steal user accounts, often without the victim noticing, experts have warned.
The attack, called “DoubleClickjacking,” was disclosed by a security researcher and bug hunter. Paul Yiveland is an evolution of well-established “Clickjacking” tactics, which have been around for over a decade.
Since modern browsers have mitigated the risk of clicking by no longer sending cross-site cookies, one-click hacks have become less common for hackers. Threat actors have stepped up their game, adding in a second click.
Sleight of hand
The technique works by encouraging users to “double click”, i.e. posing as “CAPTCHA” notifications, asking for verification with a double click.
However, unbeknownst to the victim, the small gap between the first and the second click was exploited against them, since the attacker opened a new window, usually the “captcha notification” page, which is then exchanged for a malicious site. the second one between the first and second clicks, in a “sleight of hand type trick”.
The danger in this attack is quite clear, since most defenses are not designed to handle double clicks – and the protections in Web Apps and frameworks are ignored. The technique can also be used on mobile sites, asking the targets to “double tap”.
DoubleClickjacking can be used to obtain API & OAuth permissions for many major sites, and is “extremely rampant” according to the researcher. This can lead to serious consequences for the victim, especially since it requires minimal user interaction.
“DoubleClickjacking is a sleight of hand around a well-known attack class. By exploiting event timing between clicks, attackers can seamlessly swap benign UI elements for sensitive ones in the blink of an eye,” said Yibelo.
