?? Hack & Tell: DoubleClickjacking - A New Twist on UI Redressing ??

Welcome back to Hack & Tell, hoping everyone has enjoyed a break to the end of the year! We're straight back into the new year with a new novel exploit, a clever evolution of a classic clickjack attack dubbed the DoubleClickjack. First highlighted by Paulos Yibelo, this method adds a sneaky twist to your standard UI redressing attack, leveraging double-click events to bypass protections like X-Frame-Options, CSP, and SameSite cookies.

Breaking Down DoubleClickjacking: Manipulating Two Clicks

At the heart of DoubleClickjacking lies the ability to exploit two sequential user clicks by assigning each click a separate, strategic role in the attack flow. This subtle yet powerful technique leverages user trust and familiar behaviour patterns to bypass traditional security mechanisms. Let’s examine this in greater detail:

Step 1: The First Click - Setting Up the Context

The first click occurs on the attacker-controlled UI—typically a pop-up or overlay designed to look harmless, such as a "Cookie Consent" banner or a "Start Test" button. This click serves two purposes:

1. Redirecting to the Legitimate Site:

• The parent window is redirected to the target site, such as a logged-in session of a legitimate web application (e.g., a Dynamics 365 dashboard or an OAuth consent page).
• This sets the stage for the subsequent interaction to occur within the context of a legitimate application, avoiding suspicion.

1. Maintaining User Engagement:

• The attacker-controlled pop-up remains open, providing a focal point for the user’s immediate attention.
• The interaction feels normal, as users are accustomed to dismissing pop-ups or agreeing to consent requests.

Step 2: The Second Click - Exploiting the Target

The second click transitions to the legitimate application, leveraging the user’s interaction flow to trigger sensitive actions. Here’s how it unfolds:

1. Pop-Up Closure:

• The user clicks a button (e.g., "Accept Cookies") in the pop-up, which simply closes the window.
• This action redirects the user’s attention to the now-loaded legitimate application.

1. Triggering Sensitive Actions:

• OAuth Approval: Granting permissions to a malicious application.
• API Call Execution: Triggering a sensitive workflow or action (e.g., data export, financial transaction).

1. No Suspicion Raised:

• Since the legitimate application is loaded in the foreground, the user perceives their interaction as natural.
• The attacker benefits from the illusion of legitimacy, as the actions appear to be initiated within the target site.

Why This Technique Works

1. Mimics Legitimate Behaviour:

Users are accustomed to multi-step interactions, such as clicking through pop-ups or navigating confirmation dialogs. DoubleClickjacking capitalises on this familiarity.

1. Exploits Timing and Context:

The attack synchronises the redirection and user interaction to create a seamless flow, masking malicious intent.

1. Circumvents Protections:

Traditional defences like X-Frame-Options and CSPs are ineffective because the actions are initiated by genuine user clicks.

1. Targets Trust in Everyday Interactions:

Common UI elements like cookie banners or consent pop-ups disarm users, lowering their guard against potential exploitation.

Visualising the Flow

Think of DoubleClickjacking as a relay race:

• The first click passes the baton (context setup) to the legitimate site.
• The second click crosses the finish line (execution of sensitive action) without the user realising an attack has occurred.

Practical Examples

1. OAuth Authorisation:

• The first click loads an OAuth consent page.
• The second click approves access to sensitive resources, such as email or cloud storage.

1. API Workflow Exploitation:

• The first click triggers a legitimate application with accessible API functionality.
• The second click executes a workflow, such as initiating a fund transfer or exporting sensitive records.

1. Session Hijacking:

• The first click redirects to a session-managed dashboard.
• The second click interacts with session-based elements to perform unauthorised actions.

By splitting user interactions into two steps and carefully synchronising them, DoubleClickjacking creates a potent attack vector that exploits both user behaviour and application trust. This detailed understanding reinforces why layered defences and proactive testing are critical to countering such nuanced threats.

Attack Flow

1?? Malicious UI Setup: The attacker deploys a phishing page or compromised application containing a fake "Cookie Consent" pop-up.

2?? Victim Interaction: The user clicks on the Start Test button, which:

• Redirects the parent page to the legitimate site.

• Opens the attacker-controlled pop-up.

3?? Behind the Scenes:

• The user’s first click interacts with the malicious pop-up and closes it.
• The user’s second click lands on the legitimate site, potentially triggering sensitive actions like OAuth approval or API workflow execution.

4?? Redirection: The parent window, now redirected to the legitimate site, completes the critical action—such as approving permissions—without the user’s explicit knowledge.

Script in Action

I created a proof-of-concept script to demonstrate how this works in practice. You can find the code and detailed instructions in my GitHub repository: ?? GitHub: doubleclickjacking PoC

What the Script Does:

1. Initial Setup: Opens a "Cookie Consent" pop-up, designed to appear harmless and familiar to users.
2. Double-Click Trigger: Redirects the parent window to the legitimate site while the pop-up draws attention. The pop-up closes on the first click, focusing the user’s subsequent interaction on the legitimate site.
3. Attack Flow Log: Tracks each step of the process for validation and transparency during testing.

Why It Matters

DoubleClickjacking will be limited in its occurrence, lets make that clear. It requires significant user interaction and very specific attack paths to be valid but is a very clever twist. The attack leverages natural user behaviour to bypass existing protections, allowing attackers to execute sensitive actions like:

• Approving malicious OAuth applications.
• Executing critical API workflows.
• Hijacking user sessions or bypassing MFA.

The impact can potentially be quite significant: without robust UI and workflow protections, even the most secure-looking applications can fall victim to this subtle manipulation.

Risk Assessment

While this attack requires significant user interaction and precise timing, its potential impact on sensitive workflows makes it worth considering.

• Medium Risk: If user interaction leads to non-critical actions (e.g., enabling permissions with limited scope).
• High Risk: If critical actions like OAuth approvals, financial workflows, or sensitive API calls are targeted.

Mitigation Strategies

Here’s what you can do to protect your applications: ?? Disable sensitive actions until explicit user intent is detected, such as mouse movement or keypress validation. ?? Harden UI designs to prevent embedding sensitive actions in pop-ups or overlays. ?? Introduce confirmation dialogs for high-risk actions to validate user intent. ?? Educate users about phishing and UI manipulation techniques to build awareness.

The Takeaway

This proof-of-concept is a reminder of how subtle manipulations can lead to significant vulnerabilities. While no specific exploit has been demonstrated in production environments, DoubleClickjacking illustrates the need for layered defenses and proactive testing.

Stay curious, stay secure, and see you next time here at Hack & Tell! ??