VTA-004503 – “DoubleClickjacking” Exploit Bypasses Clickjacking Protections

DoubleClickjacking is a recently identified exploit that circumvents traditional clickjacking protections by manipulating the behavior of a double-click sequence. Unlike conventional clickjacking, which deceives users into interacting with hidden elements, this technique exploits the timing and order of events between consecutive clicks to execute unauthorized actions.

In a typical attack, malicious actors present a seemingly legitimate prompt in a new browser window, such as a CAPTCHA verification. During the double-click process, the attacker employs JavaScript to dynamically alter the browser’s content. The first click closes the topmost window, while the second click inadvertently interacts with a sensitive action in the underlying window, such as granting OAuth permissions or modifying account settings. This exploit is effective because it leverages event timing vulnerabilities, thereby bypassing traditional protections such as X-Frame-Options, SameSite cookies, and Content Security Policies (CSP).

To mitigate the risks posed by DoubleClickjacking, developers should adopt robust countermeasures. These include disabling critical buttons by default and requiring deliberate user actions to enable them. It is advisable to avoid relying on newly opened windows for sensitive operations, such as OAuth flows. Additionally, advocating for enhanced browser-level defenses, such as new HTTP headers or more advanced CSP directives, is essential. Furthermore, educating users to identify suspicious prompts and avoid engaging in unsolicited double-click actions is a crucial aspect of prevention. Finally, conducting regular and thorough security audits is essential to proactively identify and address potential vulnerabilities.

Severity:
Medium

Attack Surface:
Mobile Application, Others, Web Application, Web Browser

Tactics:
Execution, Initial Access

Techniques:
T1010: Application Window Discovery
T1102: Web Service
T1176: Browser Extensions
T1204: User Execution

References:
1. https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html

SuperPRO’s Threat Countermeasures Procedures: 
1. Implement JavaScript-based defenses to disable buttons until intentional user actions are detected (e.g., mouse movement or keyboard input).
2. Avoid using sensitive actions (e.g., OAuth flows) in newly opened windows or tabs.
3. Regularly audit and secure code that interacts with cross-window browser contexts.
4. Advocate for browser-level mitigations, such as a Double-Click-Protection HTTP header or expanded CSP rules.
5. Educate users about the risks of multi-click authorization and the importance of avoiding suspicious actions.
6. Collaborate with browser vendors to expedite development and adoption of defensive standards.

Contributed by: Anas