Why stop at double-click? "Click here 10 times quickly to confirm you're human". Or some kind of clicker game.

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.

Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.

Telling people to double click is, I think, mostly dead.