National
Expert Sounds Alarm Over Double-Click Cyberattacks on Major Browsers
Comments
Link successfully copied
File photo of a hacker on his computer. (Nicolas Asfouri/AFP via Getty Images)
By Tom Ozimek
1/4/2025Updated: 1/5/2025

A new and “extremely rampant” cyberthreat has emerged that involves exploiting mouse double-click timing to bypass protections on web browsers and trick users into authorizing unintended actions such as sharing sensitive data or approving malicious app access, according to cybersecurity expert Paulos Yibelo.

Dubbed “double clickjacking,” the new threat manipulates browser users into unknowingly interacting with sensitive elements, such as login authorizations or account permissions, by seamlessly switching the context of a webpage during a double-click action, according to Yibelo, who detailed the exploit in a recent blog post.

Double clickjacking attacks typically begin with a malicious webpage presenting an innocuous prompt, such as a CAPTCHA or a verification request, asking the user to double-click to proceed. In the split second between the user’s first and second clicks, the original window’s content is replaced with, for instance, a permission request. The second click interacts with the replaced content, authorizing actions the user never intended to approve.

Double clickjacking is a novel variation of clickjacking, an attack that has been around for years. Clickjacking attacks enable malicious websites to trick users into clicking hidden buttons that they never intended to interact with, resulting in unauthorized transactions, data breaches, or transferred control over user accounts.

The original clickjacking attack has been rendered impractical because modern browsers have introduced protections to prevent malicious websites from embedding sensitive content in hidden frames or executing unauthorized actions. However, double clickjacking circumvents these defenses by exploiting the sequence and timing of user interactions, specifically during double-click actions, making it a more sophisticated and dangerous threat.

“While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie,” Yibelo said. “This technique seemingly affects almost every website, leading to account takeovers on many major platforms.”

Double clickjacking is dangerous for several reasons, according to Yibelo. Not only does it bypass traditional clickjacking protections, but also, it can attack browser extensions in addition to the websites themselves. Yibelo said proof-of-concept attacks have demonstrated that they could exploit popular browser-based crypto wallets to authorize unauthorized web3 transactions. They could also be used to disable VPN extensions, potentially exposing a user’s IP address.

Further, double clickjacking is “extremely rampant,” according to Yibelo. He said that all websites that he has tested are vulnerable to it by default. It also requires minimal user interaction, requiring only that the user double-click, as opposed to requiring that the user fill out a form or perform multiple steps.

Yibelo said that long-term solutions to guard against double clickjacking exploits would require browser updates and new standards. In the meantime, he recommends that developers use a relatively simple JavaScript approach on their websites that would eliminate the risk of double clickjacking by disabling critical buttons by default unless a gesture such as moving the mouse or using the keyboard is detected.

He also urges users to be wary of prompts requiring double clicks, especially on unfamiliar websites. Keeping browsers and extensions updated ensures that the latest security patches are in place, helping reduce vulnerabilities to exploit. Also, using anti-malware and security tools can help detect and block suspicious behavior.

Share This Article:
Tom Ozimek
Author
Tom Ozimek is a senior reporter for The Epoch Times. He has a broad background in journalism, deposit insurance, marketing and communications, and adult education.
More from Tom Ozimek
Congress Prepares to Certify Trump’s Election Victory on Jan. 6
January 4, 2025
FBI Says New Orleans Truck Attack Was ‘Evil Act’ of Terrorism Carried Out By Lone Suspect
January 2, 2025
2024 Newsmakers of the Year: Epoch Times Readers’ Choice
December 25, 2024
Trending
1
Gmail Users Warned About New Account Takeover Scam: Here’s What to Look For
2
Federal Court Partially Blocks California Law Tackling Minors’ Social Media Addiction
3
OpenAI Chief Technology Officer, 2 Other Executives Resign
4
Federal Court Orders Google to Open Android to Third-Party App Stores in Antitrust Case
5
Here’s How to Protect Yourself From New Scams Targeting Gmail Users
Latest
1
How the California Reform Movement Started and Where It’s Going | Carl DeMaio
2
Behind the Arrest of Alleged Chinese Spy in Los Angeles County/ California / Southern California | Dr. Wen Chen
3
How a Single Mother Built a $50 Million Company and Taught Her Kids the Value of Giving Back | Melinda Masson
4
Why Are California’s Real Estate Prices Going Up Despite Record Unaffordability? | Matt McCormick
5
How Will California’s New Crime Laws Work? | Juan Alanis
ADVERTISEMENT
Privacy PolicyAbout UsContact UsTerms of ServiceNewslettersSupport Us

©2023-2025 California Insider All Rights Reserved. California Insider is a part of Epoch Media Group.