Full Report
Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. "Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said.
Analysis Summary
# Vulnerability: DoubleClickjacking Technique Bypassing Clickjacking Protections
## CVE Details
- CVE ID: Not explicitly assigned in the provided text.
- CVSS Score: Not officially scored, rated as a widespread timing-based vulnerability class.
- CWE: Likely related to improper input handling or UI redressing (CWE-301, CWE-450, or similar UI/Input validation issues, though this depends on the final classification).
## Affected Systems
- Products: Major websites that rely on standard clickjacking protections for initiating actions (e.g., OAuth approvals, sensitive transactions).
- Versions: Not specified, as this is presented as a class of vulnerability affecting web application logic across potentially numerous products using JavaScript `window.location` manipulation synchronized with user double-clicks.
- Configurations: Web applications relying solely on traditional clickjacking mitigation techniques like `X-Frame-Options`, `SameSite` cookie attributes (Lax/Strict), or CSP alone.
## Vulnerability Description
The vulnerability class, dubbed "DoubleClickjacking," allows attackers to bypass established clickjacking protections by exploiting the timing window between the first and second events in a user's required double-click sequence.
The attack flow is as follows:
1. The victim visits an attacker-controlled site.
2. The attacker site opens a new, seemingly innocuous window/tab (e.g., mimicking a CAPTCHA).
3. The victim is prompted to double-click within this new window.
4. During the execution of the double-click sequence, the parent frame stealthily uses JavaScript (`window.location` object) to navigate to a malicious target page (e.g., authorizing an OAuth application or confirming a transaction).
5. Simultaneously, the parent frame closes itself.
The result is that the user unknowingly completes the necessary authorization/confirmation via the resulting click event mapping, granting the attacker access, as existing defenses are not designed to handle this timed, double-click-based UI manipulation.
## Exploitation
- Status: Researcher-disclosed; described as a widespread technique, implying potential for opportunistic exploitation against vulnerable applications.
- Complexity: Medium/High (Requires precise timing and knowledge of how the target site handles the double-click event synchronization).
- Attack Vector: Network (Requires the user to visit an attacker-controlled website).
## Impact
- Confidentiality: High (If used to approve access or grant data permissions).
- Integrity: High (If used to confirm sensitive transactions or settings changes).
- Availability: Low (The primary goal is manipulation, not denial of service).
## Remediation
### Patches
- No specific vendor patches are listed as the vulnerability is a class/technique affecting *all* major websites using vulnerable patterns. The solution requires client-side/application logic changes.
### Workarounds
- Implement client-side defenses that disable critical action buttons (e.g., confirmation dialogues, approval buttons) **by default** until a specific, non-ambiguous user interaction is confirmed, independent of standard click events or timing assumptions.
- Developers must ensure that critical actions relying on user consent are hardened beyond simple frame protection mechanisms.
## Detection
- **Indicators of Compromise:** Unexpected navigation or action confirmations occurring immediately following an interaction within a newly opened browser window or tab (especially actions requiring confirmation like OAuth grants).
- **Detection Methods and Tools:** Traditional clickjacking detection rules (HTTP headers, CSP) will likely fail. Detection requires analyzing JavaScript event handlers to ensure that critical functions that change application state are not solely triggered or confirmed based on timing windows that overlap with external, manipulated UI events.
## References
- Researcher Disclosure: https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
- News Source: https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html