DoubleClickjacking affecting major websites – Here is a quick look.

A new cyber threat called DoubleClickjacking has emerged, posing a significant risk to internet security. This sophisticated attack bypasses existing clickjacking protections, leaving major websites vulnerable to account takeovers and unauthorized actions.

What is DoubleClickjacking?

DoubleClickjacking builds on the decade-old concept of clickjacking. Traditional clickjacking tricks users into clicking hidden or disguised buttons, leading to unauthorized actions. Modern web browsers have mitigated these risks by setting cookies to “SameSite: Lax” by default. However, DoubleClickjacking circumvents these safeguards by exploiting a two-click sequence.

How Does DoubleClickjacking Work?

The attack begins with an attacker creating a website featuring a button that opens a new window. This window displays an innocent-looking prompt, such as “Double-click to verify you’re not a robot”. When the user clicks the button, a new window opens, and the user is prompted to double-click. During this action, the parent window’s content is replaced with a sensitive page, such as an OAuth authorization dialog. The first click closes or changes the top-level window, and the second click interacts with the replaced content, authorizing malicious actions.

Real-World Implications

DoubleClickjacking has far-reaching consequences, especially for platforms relying on OAuth for account authorization. Attackers can gain unauthorized access to user accounts, authorize malicious applications with extensive data access privileges, and change critical account settings. Tests have revealed that many major websites supporting OAuth are vulnerable to this attack, including platforms like Salesforce, Slack, and Shopify.

Mitigation Strategies

To combat DoubleClickjacking, developers can implement JavaScript-based solutions to prevent unauthorized clicks on sensitive elements. Enhancements to Content Security Policies (CSP) directives can account for context-switching in multi-click scenarios. Developers should also protect sensitive pages with additional scripts and authentication checks, limit the use of window.opener to prevent unauthorized navigation changes, and implement stricter controls over embedded content in iframes.

Conclusion

DoubleClickjacking is a significant threat to web security in 2025. It exploits the timing and sequence of two user clicks to bypass existing defenses, posing severe risks to platforms relying on OAuth and other sensitive frameworks. To mitigate this attack, developers must implement robust client-side protections and adhere to best practices in web security.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it