- Researcher Paulos Yibelo discovers a new attack aimed at users
- Attack uses fake CAPTCHA notification pages
- Users are encouraged to “double click” while the attacker accesses a malicious page
Experts have warned that a new technique is helping attackers steal user accounts, often without the victim realizing it.
The attack, dubbed ‘DoubleClickjacking’, was revealed by security researcher and bug hunter Paulos Yibelo, and is an evolution of well-established ‘Clickjacking’ tactics, which have been around for over a decade.
Since modern browsers have mitigated the risk of clickjacking by stopping sending cookies between sites, one-click hacks have become less common for hackers. Threat actors have stepped up their game by adding a second click.
Prestidigitation
The technique works by encouraging users to “double click”, that is, posing as “CAPTCHA” notifications, requesting verification with a double click.
However, unbeknownst to the victim, the small gap between the first and second click is being used against them, as the attacker has opened a new window, usually the ‘captcha notification’ page, which is then changed by a malicious site in the second between the first and second click, in a ‘sleight of hand’.
The danger of this attack is quite clear, as most defenses are not designed to support double-clicking, and protections in web applications and frameworks are bypassed. The technique can also be used on mobile sites, asking targets to “double tap.”
DoubleClickjacking can be used to obtain API and OAuth permissions for many major sites and, according to the researcher, is “extremely rampant.” This can have serious consequences for the victim, especially since it requires minimal user interaction.
“DoubleClickjacking is a sleight of hand on a well-known attack class. By exploiting the event time between clicks, attackers can seamlessly swap benign UI elements for sensitive ones in the blink of an eye,” Yibelo noted.
