Double The Clickjacking Double The Fun(For The Bad Guys)

29 January 2025
Double The Clickjacking Double The Fun(For The Bad Guys)

You have heard of “Clickjacking” but have you heard of “Double Clickjacking”?

It’s twice as dangerous…. Just kidding but it still is plenty annoying. 

Most major websites already use the X-Frame-Options and Content-Security-Policy headers to thwart Clickjacking. Maybe you are even really ambitious and set your cookies with the sameSite property.

But what do you know about Double Clickjacking? (Oddly enough that sounds dirty in my head as I write this).

This attack takes some skill. What happens is you load up a malicious web page. They instruct you to “double-click” some UI element on the page. That UI element is positioned very specifically for reasons I will get into in a second.

Once the malicious page detects the first quick it quickly does a window.location redirect to another website.

Now what happens if that website is the OAuth page for Google or Facebook giving access to your information to an unknown 3rd party app? And that UI element from the first page just happens to be perfectly placed over the “Accept” button. So when you do the second click in the double click it hits that accept button allowing the bad guys access to whatever permissions they had asked for.

This is pretty devious and honestly a bit ingenious(Not to give the bad guys too much credit).

Protecting Against This:

First, as a person browsing the internet, don’t double-click stuff in the browser. That is some weird wonky UX and if a legitimate site has you do that they don’t deserve to be in business.

Second, as the engineer building and maintaining websites, you may want to consider locking UI elements until you see the cursor has moved a handful of pixels.

Good luck out there!

If you are interested check out the short video with a cameo from my puppy.

PS: If you enjoy this type of content let me know. I am dabbling with doing themed days. Something like the following:

  • Monday - AWS
  • Tue - Long video hopefully so not exactly writing.
  • Wed - Cyber Security
  • Thur - Comic
  • Friday - Miscellaneous/Business

Probably not exactly that but let me know what type of content you want to hear the most about. Do you like the variety or do you prefer one topic or another?

Let me know. Thanks!