logoalt Hacker News

A New type of web hacking technique: DoubleClickjacking

116 pointsby shinzublast Tuesday at 4:44 AM60 commentsview on HN

Comments

joshfraseryesterday at 10:18 PM

Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

show 2 replies
maxrmkyesterday at 7:52 PM

This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.

show 3 replies
Vortigauntyesterday at 9:50 PM

Thankfully this shouldn't become a large problem, because websites simply don't load that quick

show 1 reply
Dwedittoday at 12:14 AM

In other words, a social engineering attack to trick people into authorizing something they did not want to authorize.

Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...

efortislast Tuesday at 5:52 AM

I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })
sharpshadowyesterday at 6:04 PM

New fear unlocked lazy cookie consent banners.

gwbas1cyesterday at 8:28 PM

I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

show 1 reply
yellow_leadyesterday at 6:23 PM

Am I mistaken or does this require the user to allow pop-ups?

show 1 reply
gnabgiblast Tuesday at 4:46 AM

Title: DoubleClickjacking: A New Era of UI Redressing

krunckyesterday at 6:50 PM

Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.

bangaladoreyesterday at 7:52 PM

Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.

show 4 replies
IshKebabyesterday at 5:57 PM

Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.

show 2 replies