DoubleClickjacking: How A New Cyberattack Targets User Interactions

Cybersecurity expert Pablos Yibelo has announced today DoubleClickjacking, a web attack leveraging double-click timing to deceive users into executing sensitive actions on websites.

Pablos Yibelo explains that the DoubleClickjacking technique expands on the well-known “clickjacking” technique. This attack manipulates user interface interactions to bypass protections such as X-Frame-Options headers and SameSite cookies, potentially affecting a wide range of websites.

Yibelo explains that DoubleClickjacking works by exploiting the timing between two clicks in a double-click sequence. The attack typically begins with a user interacting with a webpage that opens a new window or displays a prompt.

The first click closes the newly opened window, revealing a sensitive action page—such as an OAuth authorization screen—in the original browser window. The second click then unintentionally authorizes a malicious action or grants access to unauthorized applications.

This method leverages the brief delay between “mousedown” and “click” events, bypassing traditional security measures. Its impact is substantial, enabling attackers to perform actions such as gaining access to accounts, altering settings, or conducting unauthorized transactions, says Yibelo.

Many platforms using OAuth for authentication are particularly vulnerable, as attackers can exploit this method to obtain extensive permissions on user accounts.

The risks extend beyond websites, with browser extensions and mobile applications also susceptible. Examples include scenarios where cryptocurrency wallets or VPN settings could be manipulated without the user’s awareness, as noted by Yibelo.

Here Yibelo gives an example of a Slack account takeover:

The attack’s simplicity—requiring only a double-click—makes it difficult to detect and prevent. To mitigate the risks, Yibelo says that developers can implement JavaScript-based protections that disable critical buttons until intentional user actions, like mouse movements or keyboard input, are detected.

Yibelo says that this approach adds a layer of verification, ensuring that sensitive actions cannot occur without deliberate user engagement. Over time, browser developers may adopt more robust solutions, such as introducing specialized HTTP headers to prevent context-switching during double-click interactions.

DoubleClickjacking highlights the evolving challenges in web security. By exploiting minor user interaction patterns, it underscores the need for continuous updates to security practices and protections.