- Researcher Paulos Yibelo uncovers new attack targeting users
- The attack makes use of fake CAPTCHA notification pages
- Users are encouraged to ‘double click’ while the attacker swaps in a malicious page
A new technique is helping attackers steal user accounts, often without the victim even noticing, experts have warned.
The attack, dubbed ‘DoubleClickjacking’, was disclosed by security researcher and bug hunter Paulos Yibelo, and is an evolution of well established ‘Clickjacking’ tactics, which have been around for over a decade.
Since modern browsers have mitigated the click jacking risk by no longer sending cross-site cookies, single click hacks have become less common for hackers. Threat actors have stepped up their game, by adding in a second click.
Sleight of hand
The technique works by encouraging users to ‘double click’, namely by posing as ‘CAPTCHA’ notifications, asking for verification with a double click.
However, unbeknownst to the victim, the small gap in between the first and second clicks is being leveraged against them, as the attacker has opened a new window, usually the ‘captcha notification’ page, which is then swapped out for a malicious site in the second between the first and second clicks, in a ‘sleight of hand type trick’.
The danger in this attack is pretty clear, as most defenses aren’t designed to handle double-clicking – and protections in Web Apps and frameworks are bypassed. The technique can also be used on mobile sites, asking targets to ‘double tap’.
DoubleClickjacking can be used to obtain API & OAuth permissions for many major sites, and is ‘extremely rampant’ according to the researcher. This can lead to serious consequences for the victim, especially since it requires such minimal user interaction.
“DoubleClickjacking is a sleight of hand around on a well-known attack class. By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye,” Yibelo noted.