Skip to content(if available)orjump to list(if available)

DoubleClickjacking: A New type of web hacking technique

janmo

There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

account42

Letting javascript manipulate the clipboard was a mistake. Yet another "feature" that's added for apps but absolutely useless for the web.

yapyap

yeah, you paste malicious code into the run window (basically a powershell) and then paste in code. pretty obvious most of the time

HeliumHydride

The "Run" app appears right after pressing Win+R, so this wouldn't work.

janmo

I tried it on a VM, it did work. [WIN + R] opens the run app down left in the left corner.

[CRTL + V] pastes a small code snippet in the run app and once [ENTER] is pressed it closes the run app and in the background downloads and executes a larger code snippet from a malicious website.

So if you press exactly what they told you to press it would install a malware on your computer. Now this typically targets people that don't even know what the run app is.

begueradj

There is the classic "drive by download attack" where you have nothing to press.

grokblah

This could be mitigated by solving a longstanding UX issue: UI elements changing just before you click or tap.

Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.

null

[deleted]

maxrmk

This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.

chatmasta

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

Dwedit

Can you open a tiny iframe then scroll it to a particular location on the page, or does HTML and JS not allow that?

joshfraser

You can change the visibility of the target page so they wouldn't know

jeroenhd

I don't think you can, but you could open a popup over the target to hide the authorisation page to make it a little less obvious. JS also has a window.close() function for opened windows, but I believe browsers might show a warning when you try that on an external origin.

One could also confuse the user by spawning a whole bunch of tabs for other services after clicking the authorise button, making the user think something weird is going on and closing all the tabs that just popped up without realising they clicked the authorisation button.

chatmasta

How? You don't control the DOM on that. You can adjust the window prior to changing its location but that's it.

seanwilson

Why stop at double-click? "Click here 10 times quickly to confirm you're human". Or some kind of clicker game.

temporallobe

Like in reCAPTCHA (v2 at least) where it asks users to click on tiles to identify common objects like bridges or motorcycles. Surely one could conjure up a fake version of this.

seanwilson

I've seen people complete actual CAPTCHAs that were something like "Click here exactly 10 times to prove you're human" so I don't think you'd need anything fancy. People wouldn't stop to question it and are used to doing much weirder CAPTCHAs without understanding what they're for.

adrr

Punch the monkey by double clicking it.

bee_rider

Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.

Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.

Telling people to double click is, I think, mostly dead.

foobazgt

My mother constantly struggles between when to double click or not after decades of using computers. This is probably an issue that will die out with her generation, though.

Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.

JadeNB

> Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks.

Speaking of things dying out, it's been so long since I used anything but a trackpad that I thought at first this was some strange claim about rodents!

opello

And may just come back once some subset of the population only interacts with touch screen devices.

chatmasta

It doesn’t need to be a literal double click. It could be something like a CAPTCHA “confirm you’re human,” where you click once, it appears to load, and then you click a confirm button. Do it fast enough and it might appear like a double click.

Not sure this would work with the exploit though.

hansvm

YouTube gets me to double-click on occasion:

- The page mostly loads

- An ad starts playing

- I attempt to hit "pause" while I go handle a thing or two [0]

- As I'm about to click "pause", the layout shifts to the left exactly enough for me to unmute the ad

- I immediately click again to stop listening to whatever scam is currently being peddled

[0] For some videos I like to read the description before watching. For all videos I like to make it as obvious as possible to Google that there isn't a real person watching the ad (browser not focused, ad muted, ...).

dylan604

Google drive and similar sites use double click for folders to open similar to a regular OS would. Single click tends to show some metadata where the double click does the actual navigation.

it pisses me off

efortis

I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })

efortis

and `disableButtons` on `document.hidden`

joshfraser

Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

paulpauper

Bug bounties are kind of a joke. they will invent almost any reason to not pay. it has to be something where the site is malfunctioning, not CSS tricks, which has to do with the browser , not the vendor. Clickjacking can work on any site, not just Amazon.

nneonneo

The idea here is simple: get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button.

gwbas1c

I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

akersten

It's also not a novel threat model. For example prior art, the browser confirmation dialogs in Firefox at least don't enable their buttons until the window has had focus for 500ms or so. Possibly to avoid inadvertently unintentionally clicking "run" on a recently downloaded item, but it solves for this too and I wouldn't be shocked if this was on their mind too.

If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:

> This technique seemingly affects almost every website

stavros

It doesn't matter where the file was, the page simply redirects itself to the Salesforce website and opens a popover with the "double click me" button over the "allow" button in the window below.

inopinatus

people who write search result UIs that update/rearrange whilst you're trying to select something have known about the general class of bait-and-switch click vulnerability for years

Vortigaunt

Thankfully this shouldn't become a large problem, because websites simply don't load that quick

Too

They load in the background. Look at the second video attempting to attack Slack. Look closely at the first tab in the top left corner, you can see that it is loading and eventually settles on Slack before the victim clicks the button. The attacker website has a delay on the click button to allow it to finish.

lozenge

Make them fill in the CAPTCHA on the temporary page, then double click to finish.

joshfraser

It could be preloaded

cryptonector

I understood GP's joke, but I don't understand yours.

bawolff

Neither are a joke.

The exploit requires pages to load instantly. The first person was saying it usually takes a few hundred ms to load a page (at least). The second person points out that you can load the page in the background so it is in the local browser cache already, in which case loading is near instant.

alp1n3_eth

I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?

sharpshadow

New fear unlocked lazy cookie consent banners.

steven_noble

The article’s headline says it’s a new technique. The article’s body does not really say this.

Too

This is just a variation of a trick that is as old as the internet. Most old attacks were using timing instead of double-clicking, usually by tricking the user to click on a bouncing monkey to win a price, instead hitting what was behind.

The real question is, how have browser vendors still not learned. Don't allow any clicks the first moments after a focus change.

mylastattempt

If they implement that without an opt-out in the settings, even if buried deep, using the web as a 'power user' will become even more painful!