Double-click danger – experts warn that attackers can steal your accounts with just two clicks
- Researcher Paulos Yibelo discovers new attack targeting users
- The attack uses fake CAPTCHA notification pages
- Users are encouraged to ‘double-click’ as the attacker engages a malicious page
A new technique is helping attackers steal user accounts, often without the victim noticing, experts warn.
The attack, called ‘DoubleClickjacking’, was revealed by security researcher and bug hunter Paulos Yibeloand is an evolution of established ‘Clickjacking’ tactics, which have been around for over a decade.
Since modern browsers have reduced the risk of clickjacking by no longer sending cross-site cookies, one-click hacks have become less common for hackers. Threat actors have stepped up their game by adding a second click.
Dexterity
The technique works by encouraging users to ‘double-click’, namely by masquerading as ‘CAPTCHA’ notifications and requesting verification with a double-click.
However, unbeknownst to the victim, the small gap between the first and second click is exploited against them, because the attacker has opened a new window, usually the ‘captcha notification page’, which is then swapped for a malicious site in the second between the first and second click, in a ‘magic trick’.
The danger of this attack is quite clear, as most defenses are not designed to handle double-clicking – and protections in Web Apps and frameworks are bypassed. The technique can also be used on mobile sites, where targets are asked to ‘double-tap’.
DoubleClickjacking can be used to gain API and OAuth permissions for many major sites, and is “extremely widespread,” according to the researcher. This can lead to serious consequences for the victim, especially since it requires so little user interaction.
“DoubleClickjacking is a magic trick with a well-known attack class. By leveraging event timing between clicks, attackers can seamlessly replace benign UI elements with sensitive ones in an instant,” said Yibelo.