The world of cyberattacks is constantly evolving, and hackers continue to compete in ingenuity to circumvent the security measures put in place by companies and users. A relatively recent technique, called DoubleClickjackingarouses particular concern among cybersecurity experts.
The rise of DoubleClickjacking in the cybersecurity landscape
Originally, the clickjacking was already well known in the cybersecurity community. This was an attack where users were tricked into clicking on a seemingly innocuous element of a web page, subsequently leading to malicious actions or the exfiltration of sensitive data. THE DoubleClickjacking is an evolution of this technique, using two successive clicks to bypass the usual security controls.
As the name suggests, DoubleClickjacking takes advantage of the user’s double-click sequence rather than a single click. This variant allows attackers to manipulate the user interface in a more subtle way, for example validating authentication pages without the user being aware of it. This type of attack bypasses protections like the X-Frame-Options header or SameSite Lax/Strict cookies, which are generally effective in countering traditional clickjacking.
Traditional defenses ineffective against DoubleClickjacking
The researcher Paul Yivel showed to what extent current defense systems are overwhelmed by this new technique. While solutions such as X-Frame-Options, SameSite cookies and Content Security Policy (CSP) previously offered robust security against clickjacking attacks, they are proving powerless against DoubleClickjacking. By exploiting the interval between the user’s first and second click, this method even affects web applications from tech giants like Salesforce, Slack and Shopify, according to demonstrations by Yibelo.
To illustrate the severity of the threat, various videos show how an attacker can gain access to accounts on these platforms undetectably. Imagine that while solving a captcha, your second click quietly activates a critical permission, opening the door to malicious actions. This subtlety makes DoubleClickjacking particularly formidable.
Potential impacts on users and businesses
The increasing sophistication of DoubleClickjacking attacks poses a major danger to both individual users and businesses. The consequences can range from theft of personal data to costly intrusions compromising company information systems. By targeting authentication processes, these attacks allow hackers to bypass built-in security, often without the victims’ knowledge.
For users, this could mean losing access to their personal and professional accounts, with direct repercussions on their privacy and financial security. For businesses, the impact could be even more devastating, including significant financial losses, reputational damage and broken data protection compliance regulations.
Real-World Examples of Vulnerabilities and Vendor Responses
Concrete examples abound to illustrate the threat posed by DoubleClickjacking. In several demonstrations, researchers successfully hacked accounts on popular platforms like Salesforce, Slack and Shopify. These incidents should push providers to strengthen their security systems and communicate more with their users about potential risks and possible prevention measures.
Some companies are already starting to explore innovative ways to combat these types of attacks. They implement tools that deactivate certain buttons until an explicit and clear gesture has been made by the user. However, this approach requires balancing security and user experience, which is often affected by overly restrictive controls.
