alt Hacker NewsDoubleClickjacking: A New type of web hacking technique
Comments
This could be mitigated by solving a longstanding UX issue: UI elements changing just before you click or tap.
Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
I think the suggested mitigation will only work when the user double-clicks without moving the mouse.
So I'd try adding a small timeout when the tab is visible:
document.addEventListener("visibilitychange", () => {
if (!document.hidden)
setTimeout(enableButtons, 200)
})Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.
https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/
The idea here is simple: get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button.
I'm a little skeptical that this is a real exploit.
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
people who write search result UIs that update/rearrange whilst you're trying to select something have known about the general class of bait-and-switch click vulnerability for years
Thankfully this shouldn't become a large problem, because websites simply don't load that quick
I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?
New fear unlocked lazy cookie consent banners.
The article’s headline says it’s a new technique. The article’s body does not really say this.
And this is a great reason to us Firefox's containers feature.
In other words, a social engineering attack to trick people into authorizing something they did not want to authorize.
Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...
I clicked on a bad link a few months ago. I can't believe I fell for it. I've disabled javascript by default in my browser and only enable it for websites that I trust. It is painful for some websites that redirect a lot.
What are you doing to reduce your chances of running bad javascript code?
This would be super effective as a form submit button that doesn’t respond, tricking the user into rage clicking
That's clever, but i feel like it would be difficult to pull off in practise.
Also i wonder if the suggested mitigation can somehow be worked around by somehow preloading the page into the bfcache.
You can use similar tricks to sniff auto fill data with arrow keys, a fake pacman game, and hidden form fields using focus.
Genius. I am gonna use this until browsers do a permanent prompt “are you sure you want to close this window?”
It appears that you can replace double-click with command-click, and listen for keydown rather than mousedown.
Title: DoubleClickjacking: A New Era of UI Redressing
Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.
Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.
There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.
This will install malware code that was put in the clipboard by using javascript.