![Hand using laptop mouse](https://media.cybernews.com/images/750w/2022/03/hand-using-laptop-mouse.jpg)
The time between two mouse clicks is enough for hackers to swap web pages and trick victims into accidentally authorizing access or money transfers.
Paulos Yibelo, a security researcher and bug hunter, has disclosed a new variation of the so-called ‘clickjacking’ attacks. These attacks trick users into clicking hidden or disguised buttons they never intended to click.
Single-click hijacks have become less practical for attackers since modern browsers no longer send cross-site cookies. To bypass this limitation, hackers have updated the clickjacking attack with a twist: introducing a second click.
“While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections,” Yibelo writes in blog post.
For users, the phishing site appears as an ordinary CAPTCHA notification, asking to verify that the user is human by double-clicking a button.
Behind it, hackers add functionality that loads a sensitive page, such as OAuth authorization confimation, in the background. When a user double-clicks, the first trigger closes the top window, revealing the sensitive page. The second mouse click then lands on a sensitive page, approving the authorization, granting permission, or completing any other action.
![clickjacking](https://media.cybernews.com/2025/01/clickjacking.png)
Clicking speed doesn’t affect the attack, as hackers favor mousedown event handlers.
“The malicious site can quickly swap in a more sensitive window from the same browser session (e.g., an OAuth authorization prompt), effectively hijacking that second click. There are many ways to perform the “swap,” the most reliable and smooth method I found uses window.open.location,” the researcher said.
Yibelo warns that ‘DoubleClickjacking’ can be used to obtain OAuth & API permissions for most major websites, perform one-click account changes, such as disabling security settings, deleting an account, authorizing access or money transfers, or confirming transactions, etc. The novel technique can also be used to attack browser extensions.
The researcher also shared a proof of concept code and examples attackers could use to take over Slack, Shopify, and Salesforce accounts.
Websites can limit exposure by disabling critical buttons by default, unless a previous user initiated gesture is detected, such as moving the mouse, or using the keyboard, before these buttons become activated.
Long-term solutions would require browser updates and new standards to defend against double-click exploitation.
“Any page handling OAuth scope verification, payment confirmations, or other high-privilege actions should include the defensive script until browsers provide solutions,” Yibelo suggests.
Your email address will not be published. Required fields are markedmarked