A New type of web hacking technique: DoubleClickjacking
46 comments
·January 14, 2025krunck
KTibow
TFA doesn't use separate windows, only separate tabs.
NoMoreNicksLeft
Agreed, but I think this was a workaround for early web apps that existed in the primitive days. You'd need two webpages of the same site open to complete some task, but the apps weren't sophisticated enough to do that within a single window/tab. Once they did it back then, now too many web apps and workflows would suffer if they just killed that functionality entirely, too many users would scream.
bangaladore
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
packtreefly
It is the height of irony to me that a blog post complaining about clickjacking is presented on a website that is guilty of scrolljacking.
thoughtpalette
I thought the same. Glad to see it called out here. Maybe that's the post for next week...
mediumsmart
the scrolling is almost normal in librewolf - but that is with privacy badger blocking 14 trackers on that page ...
gwbas1c
I'm a little skeptical that this is a real exploit.
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
akersten
It's also not a novel threat model. For example prior art, the browser confirmation dialogs in Firefox at least don't enable their buttons until the window has had focus for 500ms or so. Possibly to avoid inadvertently unintentionally clicking "run" on a recently downloaded item, but it solves for this too and I wouldn't be shocked if this was on their mind too.
If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:
> This technique seemingly affects almost every website
maxrmk
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
chatmasta
The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).
Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.
I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.
Back in the day, this trick was used for clickjacking Digg upvotes.
bee_rider
Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.
Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.
Telling people to double click is, I think, mostly dead.
foobazgt
My mother constantly struggles between when to double click or not after decades of using computers. This is probably an issue that will die out with her generation, though.
Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.
chatmasta
It doesn’t need to be a literal double click. It could be something like a CAPTCHA “confirm you’re human,” where you click once, it appears to load, and then you click a confirm button. Do it fast enough and it might appear like a double click.
Not sure this would work with the exploit though.
efortis
I think the suggested mitigation will only work when the user double-clicks without moving the mouse.
So I'd try adding a small timeout when the tab is visible:
document.addEventListener("visibilitychange", () => {
if (!document.hidden)
setTimeout(enableButtons, 200)
})efortis
and `disableButtons` on `document.hidden`
sharpshadow
New fear unlocked lazy cookie consent banners.
null
null
yellow_lead
Am I mistaken or does this require the user to allow pop-ups?
gruez
Default configuration for most browsers is to allow popups if it was initiated by a user action.
gnabgib
Title: DoubleClickjacking: A New Era of UI Redressing
IshKebab
Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.
Etheryte
I couldn't even begin to count how many bug reports I've seen over the years that start with "when I accidentally double-click foo, bar happens". It might not be an intentional usage pattern, sure, but that doesn't mean it doesn't happen a lot.
kevinsync
Yeah, I have no data beyond anecdotal to back this up, but I witness A LOT of people double-clicking everything, regardless of what it is. I assume it's because they only got so far in "computer" as to learn "click + drag to move, double-click to open a program or file". Link on a web page? I want to open that!
uhoh-itsmaciek
Google Drive uses it as an interaction pattern. I find that baffling, but while uncommon, it's not totally absent. And as others have pointed out, many users carry over their expectation of having to double-click from desktop interfaces.
recursive
I double click to select text all the time. Get your flags ready.
bangaladore
I'd laugh if an effective way to present this is:
CAPTCHA:
Please copy `qwertyuiopasdfhkl`
Into here `<textbox>`
Edit: Quick (ai mockup) concept... https://imgur.com/mc0IdEA Obviously it would be most effective with a longer string though.
kazinator
Web browsers and the applications on them have become extremely memory hungry. Memory management pauses are common and people click multiple times irately.
giantrobot
Double clicking on the web is extremely common with older less technically adept users. This same cohort is also the most susceptible to scams.
bangaladore
Another obvious case of double click is to select all text in a given area. This one is a bit more obscure though.
Edit: Actually that's generally I guess triple click. Double to select a word.
waltwalther
This. I have told my eighty-year-old parents this many times over the years, but it doesn't seem to stick.
Moru
I see a lot of people doubleclicking on the web. Both young and old.
NotYourLawyer
I’ve tried to explain it many times too, but I can’t really articulate a good, comprehensive rule for when to single and when to double click.
doublerabbit
> double clicking is extremely uncommon on the web so that would be a big red flag.
You've never had a slow internet connection have you? I've seen double clicking from all users in the office. Comes from frustration.
How many times have you tried to open an application; for it not open? So you click the icon again only for two windows to split open?
Young, old, even techs. It's not as uncommon as you think.
portaouflop
I’ve even triple or quadruple clicked sometimes with disastrous results
Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.