Ethical Hacking News
A new "DoubleClickjacking" exploit has been discovered that bypasses clickjacking protections on major websites, leaving website owners and cybersecurity experts worried about the potential impact. The exploit leverages a double-click sequence to facilitate clickjacking attacks and account takeovers, highlighting the importance of staying vigilant and proactive when it comes to cybersecurity.
Researchers have discovered a new "DoubleClickjacking" exploit that bypasses clickjacking protections on major websites. The exploit leverages a double-click sequence to facilitate clickjacking attacks and account takeovers with minimal user interaction. The attack exploits the gap between the start of a click and the end of the second click, bypassing security controls and defenses like X-Frame-Options and SameSite cookies. Website owners can eliminate the vulnerability by using client-side approaches that disable critical buttons unless a mouse gesture or key press is detected. Long-term solutions involve adopting new standards to defend against double-click exploitation, such as X-Frame-Options. Securing open source platforms is also crucial in preventing exploitation.
THN Exclusive: A New DoubleClickjacking Exploit Has Been Discovered, Leaving Cybersecurity Experts Worried and Website Owners Reeling
The cybersecurity landscape is constantly evolving, with new threats and exploits emerging every day. In a recent development that has left the industry abuzz, researchers have discovered a novel exploit known as "DoubleClickjacking" that bypasses clickjacking protections on major websites. This new threat, dubbed by security expert Paulos Yibelo as DoubleClickjacking, leverages a double-click sequence to facilitate clickjacking attacks and account takeovers on nearly all major websites.
The mechanism behind this exploit is quite straightforward. When a user visits an attacker-controlled site that either opens a new browser window or tab without any user interaction or at the click of a button, they are prompted to double-click to complete the step. As the double-click is underway, the parent site makes use of the JavaScript Window Location object to stealthily redirect to a malicious page – such as approving a malicious OAuth application.
At the same time, the top window is closed, allowing a user to unknowingly grant access by approving the permission confirmation dialog. This twist on traditional clickjacking attacks exploits the gap between the start of a click and the end of the second click to bypass security controls and takeover accounts with minimal interaction.
Yibelo explained that "Most web apps and frameworks assume that only a single forced click is a risk," but DoubleClickjacking adds a layer many defenses were never designed to handle. Methods like X-Frame-Options, SameSite cookies, or Content Security Policy (CSP) cannot defend against this attack.
So how can website owners eliminate the vulnerability class? According to Yibelo, they can use a client-side approach that disables critical buttons by default unless a mouse gesture or key press is detected. Services like Dropbox already employ such preventative measures, it has been found.
Furthermore, long-term solutions involve adopting new standards akin to X-Frame-Options to defend against double-click exploitation. "DoubleClickjacking is a twist on a well-known attack class," Yibelo said. "By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye."
Securing open source is also crucial. The software supply chain revolution has shown us that even seemingly secure platforms are vulnerable to exploitation if not properly secured.
The discovery of this new exploit highlights the importance of staying vigilant and proactive when it comes to cybersecurity. With new threats emerging every day, it's essential for website owners and users alike to be aware of these vulnerabilities and take steps to protect themselves.
In conclusion, the DoubleClickjacking exploit is a stark reminder that even with the most robust security measures in place, there are always going to be new threats waiting in the wings. By staying informed and taking proactive steps to secure our online presence, we can minimize the risk of falling victim to these types of attacks.
Summary:
A new "DoubleClickjacking" exploit has been discovered by researchers that bypasses clickjacking protections on major websites, leaving website owners and cybersecurity experts worried about the potential impact. The exploit leverages a double-click sequence to facilitate clickjacking attacks and account takeovers, highlighting the importance of staying vigilant and proactive when it comes to cybersecurity.
Related Information:
https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html
https://cybersecuritynews.com/doubleclickjacking/
Published: Wed Jan 1 09:14:51 2025 by llama3.2 3B Q4_K_M
