Hundreds of millions of web users have been warned about a new and dangerous cyber attack that doesn’t care what browser you use—as long as you click twice. Here’s everything you need to know about the double-clickjacking hack attack.
Don’t Click Twice Warning As New Hack Attack Confirmed
Application security and client-side offensive exploit researcher Paulos Yibelo, with a long history of discovering vulnerabilities and novel security threats, has revealed what could be the new attack methodology with the biggest reach of them all—everyone using a web browser. In a blog post detailing what is referred to as double clickjacking, Yibelo describes in technical detail how hackers can compromise your credentials when you double-click in Chrome, Edge, Safari or just about any web browser client.
This entirely new threat surface is exposed by the fact that hackers can trick the user of almost any website and almost any web browser into clicking something without even realizing they are doing it. It’s a new take on the old clickjacking attack which employed various methods to get users clicking on hidden or otherwise obfuscated web page elements. Clickjacking became obsolete when browser developers built protections into their software to prevent just such an attack. Double clickjacking, however, gets around these protections by adding another layer of attack that relies upon mouse double-click timing to get the victim to validate a login or some other account authorization while thinking they are clicking something else, like a CAPTCHA, that is on the screen at the time. The TL;DR, in other words, is that a new window is opened, and the user is asked to double-click on a prompt while, in the blink of an eye, the hacker is switching context to a different window altogether.
I have approached Apple, Google and Microsoft for a statement.
Why The Double Clickjack Hack Is So Dangerous
“While it might sound like a small change,” Yibelo said, double clickjacking “opens the door to new UI manipulation attacks that bypass all known clickjacking protections,” and “seemingly affects almost every website, leading to account takeovers on many major platforms.” Yibelo highlighted the following reasons why the hack attack is so dangerous:
- It can bypass existing clickjacking protections.
- It can impact more than just websites alone, with crypto wallets and smartphone attacks possible.
- It’s an entirely new attack surface for hackers to exploit.
- All websites are, by default, vulnerable to this hack attack.
- It only requires the target to double-click, nothing else.
When it comes to attack mitigation, Yibelo said, “I’ve reported this issue to some sites, the results have been mixed. Most have chosen to address it while some have chosen not to.” As for end users, the advice for now has to be don’t click twice if you want to be sure not to fall victim to this new hack attack until in-browser mitigations are available.
