Full Report
Clickjacking, also known as the UI Redress attack, is a mechanism to steal clicks to perform sensitive actions on a website. This is done by iFraming the victim website in the attackers website and tricking the user to clicking on particular sensitive parts of the website. With SameSite: Lax, the framed website becomes unauthenticated, making this much harder to exploit. This article is a new variant of this called Double Clickjacking. The main idea is doing some sleight of hand trickery to make this possible via exploiting the small gap between the start a click and the end of a click in multiple windows. By quickly swapping between pages, it's possible to get a user to click on something in an unintended fashion. The video is the best demonstration of it but it's very fast. There are some more complications to how this works though. The attacker creates an initial webpage. This opens a window. When the new window opens up, they ask the user to "double click" on it. Upon going to this page, the new window changes the parent window's location to the target page. This means that the parent window of our page while the top window shows the double-click prompt. When the user does the double click, the mousedown causes the top window (the current page) to close. The second click lands on the exposed authorization button on the parent window. With this, access has been granted. The reason this works is because of the multiple parts each click. We can use part of the click and then force it to be someone else. Any sort of one click permissions can be abused on this, such as OAuth permissions or data sharing on Google Drive. This bypasses traditional clickjacking permissions like CSPs. This also isn't just about websites - it can affect chrome extensions as well. To mitigate this, the author suggests disabling critical buttons unless a gesture is detected on that page. This ensures that the actions were meant for the particular page. For longer term solutions, a header could implemented that just resets all gestures. I really like that they thought of a good protection, which many folks wouldn't do. The attack is really cool! I personally don't fully understand why each step happens but it's interesting none-the-less.
Analysis Summary
# Tool/Technique: DoubleClickjacking (Advanced UI Redressing)
## Overview
DoubleClickjacking is an advanced variant of the classic Clickjacking (UI Redress) attack. It exploits the timing and event-order gap between the start of a click (`mousedown`) and the completion of a double-click sequence across multiple browser windows. Unlike traditional clickjacking, which is often mitigated by `SameSite: Lax` cookies or Frame-busting headers (XFO/CSP), DoubleClickjacking bypasses these defenses by using a new window/tab as the interaction layer rather than an `iframe`.
## Technical Details
- **Type:** Technique (UI Redressing/Interaction Hijacking)
- **Platform:** Web Browsers (Desktop and Mobile), Chrome Extensions
- **Capabilities:** Bypasses CSP `frame-ancestors`, `X-Frame-Options`, and `SameSite` cookie restrictions to perform unauthorized actions.
- **First Seen:** Publicized December 2024 by Paulos Yibelo.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**: Tricking the user into visiting a malicious site and performing a "double click."
- **[TA0003 - Persistence]**
- **[T1133 - External Remote Services]**: Gaining persistence via unauthorized OAuth token generation.
- **[TA0006 - Credential Access]**
- **[T1557 - Adversary-in-the-Middle]**: Redressing UI to capture authorization.
## Functionality
### Core Capabilities
- **Event Timing Hijacking:** Uses the `mousedown` event on a top-level malicious window to trigger `window.close()`. This allows the subsequent `mouseup` or the second click of a double-click sequence to land on the underlying parent window.
- **Context Swapping:** While the user is focused on a "decoy" window (e.g., a fake CAPTCHA), the script uses `window.opener.location` to navigate the background parent window to a sensitive target (like an OAuth permission page).
- **Security Bypass:** Since the target page is loaded in a main window/tab (not an iframe), `X-Frame-Options` and `Content-Security-Policy: frame-ancestors` are not triggered.
### Advanced Features
- **SameSite Cookie Bypass:** Because the target site is the top-level window, the browser sends all cookies (including `SameSite: Lax` or `Strict`), ensuring the victim is authenticated during the hijacked click.
- **Cross-Platform:** Applicable to mobile via "Double Tap" gestures and browser extensions (e.g., hijacking crypto wallet "Confirm" buttons).
## Indicators of Compromise
- **File Hashes:** N/A (Web-based technique)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- Presence of malicious redirectors or decoy "CAPTCHA" sites.
- Domains associated with the researcher's blog: `evil[.]blog` (for PoC purposes).
- **Behavioral Indicators:**
- Rapid window opening followed by immediate `window.opener.location` modification.
- Scripts listening for `mousedown` to execute `window.close()`.
## Associated Threat Actors
- No specific APT groups tied to this yet, but it is a general-purpose technique usable by any actor targeting OAuth providers, financial platforms, or cloud services.
## Detection Methods
- **Behavioral Detection:** Monitoring for web pages that programmatically change their `opener.location` immediately after a new window is spawned.
- **Client-Side Monitoring:** Security tools can look for rapid context switching between windows during active user input gestures.
## Mitigation Strategies
- **User Gesture Validation:** Implement JavaScript that disables sensitive buttons (e.g., "Authorize") unless a specific, local user gesture is detected *on that specific page* after it has loaded.
- **Input Delay:** Forcing a short delay (e.g., 500ms-1s) before critical buttons become clickable after a page focus/load event.
- **Anti-Clickjacking Libraries:** Use defensive scripts (similar to those used by Stripe or GitHub) that ensure the UI state and focus are legitimate before processing actions.
- **Proposed Header:** Adoption of a hypothetical `Double-Click-Protection: strict` header to prevent UI swaps mid-sequence.
## Related Tools/Techniques
- **Classic Clickjacking:** The precursor using `iframes`.
- **Tabnapping:** Exploiting `window.opener` to navigate a background tab to a phishing site.
- **Browser Pop-unders:** Older techniques for hiding malicious windows.