alt.hn

1/14/2025 at 4:44:06 AM

DoubleClickjacking: A New type of web hacking technique

 https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html

by shinzub

1/18/2025 at 4:57:29 AM

There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

by janmo

1/20/2025 at 12:10:48 PM

Letting javascript manipulate the clipboard was a mistake. Yet another "feature" that's added for apps but absolutely useless for the web.

by account42

1/18/2025 at 7:18:54 PM

yeah, you paste malicious code into the run window (basically a powershell) and then paste in code. pretty obvious most of the time

by yapyap

1/18/2025 at 5:59:13 AM

The "Run" app appears right after pressing Win+R, so this wouldn't work.

by HeliumHydride

1/18/2025 at 6:21:35 AM

I tried it on a VM, it did work. [WIN + R] opens the run app down left in the left corner.

[CRTL + V] pastes a small code snippet in the run app and once [ENTER] is pressed it closes the run app and in the background downloads and executes a larger code snippet from a malicious website.

So if you press exactly what they told you to press it would install a malware on your computer. Now this typically targets people that don't even know what the run app is.

by janmo

1/18/2025 at 6:52:39 PM

There is the classic "drive by download attack" where you have nothing to press.

by begueradj

1/20/2025 at 12:11:39 PM

I really hate that browsers have started to just download shit without asking you where to save it. "Convenience" my ass.

by account42

1/18/2025 at 7:42:40 PM

This could be mitigated by solving a longstanding UX issue: UI elements changing just before you click or tap.

Why not, by default, prevent interactions with newly visible (or newly at that location) UI elements? I find it incredibly annoying when a page is loading and things appear or move as I’m clicking/tapping. A nice improvement would be to give feedback that your action was ineffective/blocked.

by grokblah

1/17/2025 at 7:52:03 PM

This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.

by maxrmk

1/17/2025 at 9:24:40 PM

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

by chatmasta

1/19/2025 at 10:01:26 AM

Can you open a tiny iframe then scroll it to a particular location on the page, or does HTML and JS not allow that?

by Dwedit

1/17/2025 at 10:10:44 PM

You can change the visibility of the target page so they wouldn't know

by joshfraser

1/18/2025 at 2:43:31 PM

I don't think you can, but you could open a popup over the target to hide the authorisation page to make it a little less obvious. JS also has a window.close() function for opened windows, but I believe browsers might show a warning when you try that on an external origin.

One could also confuse the user by spawning a whole bunch of tabs for other services after clicking the authorise button, making the user think something weird is going on and closing all the tabs that just popped up without realising they clicked the authorisation button.

by jeroenhd

1/18/2025 at 12:11:49 AM

How? You don't control the DOM on that. You can adjust the window prior to changing its location but that's it.

by chatmasta

1/18/2025 at 2:43:28 AM

[flagged]

by pockmarked19

1/18/2025 at 12:50:38 AM

Why stop at double-click? "Click here 10 times quickly to confirm you're human". Or some kind of clicker game.

by seanwilson

1/18/2025 at 1:47:46 AM

Like in reCAPTCHA (v2 at least) where it asks users to click on tiles to identify common objects like bridges or motorcycles. Surely one could conjure up a fake version of this.

by temporallobe

1/18/2025 at 8:29:08 AM

I've seen people complete actual CAPTCHAs that were something like "Click here exactly 10 times to prove you're human" so I don't think you'd need anything fancy. People wouldn't stop to question it and are used to doing much weirder CAPTCHAs without understanding what they're for.

by seanwilson

1/18/2025 at 5:41:04 AM

Punch the monkey by double clicking it.

by adrr

1/17/2025 at 9:21:23 PM

Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.

Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.

Telling people to double click is, I think, mostly dead.

by bee_rider

1/17/2025 at 9:31:53 PM

My mother constantly struggles between when to double click or not after decades of using computers. This is probably an issue that will die out with her generation, though.

Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.

by foobazgt

1/17/2025 at 10:27:41 PM

> Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks.

Speaking of things dying out, it's been so long since I used anything but a trackpad that I thought at first this was some strange claim about rodents!

by JadeNB

1/18/2025 at 5:57:42 AM

And may just come back once some subset of the population only interacts with touch screen devices.

by opello

1/17/2025 at 9:25:54 PM

It doesn’t need to be a literal double click. It could be something like a CAPTCHA “confirm you’re human,” where you click once, it appears to load, and then you click a confirm button. Do it fast enough and it might appear like a double click.

Not sure this would work with the exploit though.

by chatmasta

1/18/2025 at 12:02:17 AM

YouTube gets me to double-click on occasion:

- The page mostly loads

- An ad starts playing

- I attempt to hit "pause" while I go handle a thing or two [0]

- As I'm about to click "pause", the layout shifts to the left exactly enough for me to unmute the ad

- I immediately click again to stop listening to whatever scam is currently being peddled

[0] For some videos I like to read the description before watching. For all videos I like to make it as obvious as possible to Google that there isn't a real person watching the ad (browser not focused, ad muted, ...).

by hansvm

1/17/2025 at 10:14:56 PM

Google drive and similar sites use double click for folders to open similar to a regular OS would. Single click tends to show some metadata where the double click does the actual navigation.

it pisses me off

by dylan604

1/14/2025 at 5:52:00 AM

I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })

by efortis

1/17/2025 at 9:34:49 PM

and `disableButtons` on `document.hidden`

by efortis

1/17/2025 at 10:18:26 PM

Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

by joshfraser

1/18/2025 at 12:17:16 AM

Bug bounties are kind of a joke. they will invent almost any reason to not pay. it has to be something where the site is malfunctioning, not CSS tricks, which has to do with the browser , not the vendor. Clickjacking can work on any site, not just Amazon.

by paulpauper

1/18/2025 at 7:19:54 AM

The idea here is simple: get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button.

by nneonneo

1/17/2025 at 8:28:33 PM

I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

by gwbas1c

1/17/2025 at 8:41:27 PM

It's also not a novel threat model. For example prior art, the browser confirmation dialogs in Firefox at least don't enable their buttons until the window has had focus for 500ms or so. Possibly to avoid inadvertently unintentionally clicking "run" on a recently downloaded item, but it solves for this too and I wouldn't be shocked if this was on their mind too.

If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:

> This technique seemingly affects almost every website

by akersten

1/18/2025 at 9:51:39 AM

It doesn't matter where the file was, the page simply redirects itself to the Salesforce website and opens a popover with the "double click me" button over the "allow" button in the window below.

by stavros

1/18/2025 at 10:27:11 AM

people who write search result UIs that update/rearrange whilst you're trying to select something have known about the general class of bait-and-switch click vulnerability for years

by inopinatus

1/17/2025 at 9:50:28 PM

Thankfully this shouldn't become a large problem, because websites simply don't load that quick

by Vortigaunt

1/18/2025 at 5:59:01 AM

They load in the background. Look at the second video attempting to attack Slack. Look closely at the first tab in the top left corner, you can see that it is loading and eventually settles on Slack before the victim clicks the button. The attacker website has a delay on the click button to allow it to finish.

by Too

1/18/2025 at 4:06:30 PM

Make them fill in the CAPTCHA on the temporary page, then double click to finish.

by lozenge

1/17/2025 at 10:09:47 PM

It could be preloaded

by joshfraser

1/18/2025 at 4:02:57 AM

I understood GP's joke, but I don't understand yours.

by cryptonector

1/18/2025 at 8:11:31 AM

Neither are a joke.

The exploit requires pages to load instantly. The first person was saying it usually takes a few hundred ms to load a page (at least). The second person points out that you can load the page in the background so it is in the local browser cache already, in which case loading is near instant.

by bawolff

1/18/2025 at 9:53:17 AM

I understood the first comment as tongue in cheek, because the web has become very slow. It's a legitimate argument, too, but I read it as at least a bit tongue in cheek.

by stavros

1/18/2025 at 5:01:35 PM

> The exploit requires pages to load instantly.

How so? The page with the double-click prompt immediately changes the parent page behind it to the target location, and it can easily show a loading indicator for a couple seconds to wait for the target page to render before prompting the user to double-click.

by theodorejb

1/18/2025 at 4:25:42 PM

I feel like this relies more on social engineering itself than anything else. I think confirmations / captchas should be in use for any critical functionality any way, but watching the exploit vid makes it seem like I can submit a bug for a user going to GitHub, downloading malware, then running that malware, because an email told them they should. The extra tab involvement wouldn't raise any red flags for a user?

by alp1n3_eth

1/17/2025 at 6:04:33 PM

New fear unlocked lazy cookie consent banners.

by sharpshadow

1/18/2025 at 4:57:36 AM

The article’s headline says it’s a new technique. The article’s body does not really say this.

by steven_noble

1/18/2025 at 6:04:19 AM

This is just a variation of a trick that is as old as the internet. Most old attacks were using timing instead of double-clicking, usually by tricking the user to click on a bouncing monkey to win a price, instead hitting what was behind.

The real question is, how have browser vendors still not learned. Don't allow any clicks the first moments after a focus change.

by Too

1/18/2025 at 11:42:55 AM

If they implement that without an opt-out in the settings, even if buried deep, using the web as a 'power user' will become even more painful!

by mylastattempt

1/18/2025 at 4:03:46 AM

And this is a great reason to us Firefox's containers feature.

by cryptonector

1/18/2025 at 5:57:48 PM

I clicked on a bad link a few months ago. I can't believe I fell for it. I've disabled javascript by default in my browser and only enable it for websites that I trust. It is painful for some websites that redirect a lot.

What are you doing to reduce your chances of running bad javascript code?

by swframe2

1/18/2025 at 3:14:08 AM

This would be super effective as a form submit button that doesn’t respond, tricking the user into rage clicking

by jmull3n

1/18/2025 at 8:07:34 AM

That's clever, but i feel like it would be difficult to pull off in practise.

Also i wonder if the suggested mitigation can somehow be worked around by somehow preloading the page into the bfcache.

by bawolff

1/17/2025 at 6:23:41 PM

Am I mistaken or does this require the user to allow pop-ups?

by yellow_lead

1/17/2025 at 6:41:12 PM

Default configuration for most browsers is to allow popups if it was initiated by a user action.

by gruez

1/18/2025 at 7:42:45 PM

They also usually open tabs on most new window operations (I think when the page doesn’t specify window dimensions) rather than windows. Which doesn’t matter much but to my laziness makes it even easier to line the evil page’s double click target with the “allow” button you’re meant to hit.

by xp84

1/18/2025 at 6:02:07 AM

Ah, thanks, that makes sense.

by yellow_lead

1/18/2025 at 6:21:55 AM

You can use similar tricks to sniff auto fill data with arrow keys, a fake pacman game, and hidden form fields using focus.

by chrismarlow9

1/18/2025 at 6:07:00 PM

Genius. I am gonna use this until browsers do a permanent prompt “are you sure you want to close this window?”

by pinoy420

1/18/2025 at 3:19:05 AM

It appears that you can replace double-click with command-click, and listen for keydown rather than mousedown.

by lapcat

1/14/2025 at 4:46:35 AM

Title: DoubleClickjacking: A New Era of UI Redressing

by gnabgib

1/18/2025 at 4:52:10 AM

Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.

by denuoweb

1/17/2025 at 6:50:06 PM

Browser content should never be able to modify the configuration of my desktop window layout by opening a new window. There I said it.

by krunck

1/17/2025 at 9:15:28 PM

TFA doesn't use separate windows, only separate tabs.

by KTibow

1/17/2025 at 8:27:14 PM

Agreed, but I think this was a workaround for early web apps that existed in the primitive days. You'd need two webpages of the same site open to complete some task, but the apps weren't sophisticated enough to do that within a single window/tab. Once they did it back then, now too many web apps and workflows would suffer if they just killed that functionality entirely, too many users would scream.

by NoMoreNicksLeft

1/17/2025 at 7:52:39 PM

Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.

by bangaladore

1/17/2025 at 8:56:43 PM

It is the height of irony to me that a blog post complaining about clickjacking is presented on a website that is guilty of scrolljacking.

by packtreefly

1/17/2025 at 8:58:14 PM

I thought the same. Glad to see it called out here. Maybe that's the post for next week...

by thoughtpalette

1/17/2025 at 9:37:35 PM

the scrolling is almost normal in librewolf - but that is with privacy badger blocking 14 trackers on that page ...

by mediumsmart

1/17/2025 at 8:17:24 PM

Marketing people have demanded this on many websites sites I've been involved with. Don't ask me why.

by technion

1/17/2025 at 9:57:26 PM

My hypothesis on this is that marketers who have personal MacBooks but are forced to use Windows computers at work, with mice with notched scroll wheels, find JS-driven smooth scrolling to be superior to the native snapping experience they see at work on many websites. But it wreaks havoc on people who already have computers with native high-resolution trackpads. Alas, the folks at big companies care more about their at-work than at-home experience, and it's been cargo-culted to smaller companies now as well. The conversation "detect if there is indeed a trackpad being used" never even comes up.

by btown

1/17/2025 at 9:10:38 PM

Maybe the industry should develop a secret header we can all have our browser send to disable this sort of thing. Like `X-Shibboleet: true`.

by ndriscoll

1/18/2025 at 2:48:03 PM

A uBlock rule for smooth scrolling libraries can do wonders, though on some pages that breaks all JS scripts because of brittle JS assuming certain objects are magically instantiated.

by jeroenhd

1/17/2025 at 8:32:50 PM

What is it? Smooth scrolling?

by dmix

1/17/2025 at 8:36:27 PM

From the html:

// SmoothScroll for websites v1.2.1

by bangaladore

1/17/2025 at 9:26:58 PM

You'd think the library would first check for macOS/iOS which already has far superior smooth scrolling.

by hombre_fatal

1/17/2025 at 8:49:02 PM

And this is why NoScript is a required extension. Matrix if you use Chromium based browsers.

by braiamp

1/18/2025 at 1:30:20 AM

Nah in my opinion it needs more acceleration, really why not just basically remap my mousewheel to home/end

by p3rls

1/18/2025 at 6:14:07 PM

this one is especially bad since they somehow broke pinch zoom as well, it now scrolls in addition to zooming

by beaugunderson

1/17/2025 at 5:57:46 PM

Eh, it's hardly seamless, and double clicking is extremely uncommon on the web so that would be a big red flag.

by IshKebab

1/17/2025 at 6:41:12 PM

I couldn't even begin to count how many bug reports I've seen over the years that start with "when I accidentally double-click foo, bar happens". It might not be an intentional usage pattern, sure, but that doesn't mean it doesn't happen a lot.

by Etheryte

1/17/2025 at 9:15:51 PM

Yeah, I have no data beyond anecdotal to back this up, but I witness A LOT of people double-clicking everything, regardless of what it is. I assume it's because they only got so far in "computer" as to learn "click + drag to move, double-click to open a program or file". Link on a web page? I want to open that!

by kevinsync

1/17/2025 at 7:06:46 PM

Google Drive uses it as an interaction pattern. I find that baffling, but while uncommon, it's not totally absent. And as others have pointed out, many users carry over their expectation of having to double-click from desktop interfaces.

by uhoh-itsmaciek

1/17/2025 at 7:06:13 PM

> double clicking is extremely uncommon on the web so that would be a big red flag.

You've never had a slow internet connection have you? I've seen double clicking from all users in the office. Comes from frustration.

How many times have you tried to open an application; for it not open? So you click the icon again only for two windows to split open?

Young, old, even techs. It's not as uncommon as you think.

by doublerabbit

1/17/2025 at 11:11:57 PM

I've had a few worn mouses register double clicks upon a single click. It happens inhumanly fast and users won't realize it until using an app that reacts to double clicks.

by psygn89

1/17/2025 at 7:53:42 PM

I’ve even triple or quadruple clicked sometimes with disastrous results

by portaouflop

1/17/2025 at 8:10:26 PM

I double click to select text all the time. Get your flags ready.

by recursive

1/17/2025 at 8:38:34 PM

I'd laugh if an effective way to present this is:

CAPTCHA:

Please copy `qwertyuiopasdfhkl`

Into here `<textbox>`

Edit: Quick (ai mockup) concept... https://imgur.com/mc0IdEA Obviously it would be most effective with a longer string though.

by bangaladore

1/17/2025 at 6:08:24 PM

Double clicking on the web is extremely common with older less technically adept users. This same cohort is also the most susceptible to scams.

by giantrobot

1/17/2025 at 7:58:31 PM

Another obvious case of double click is to select all text in a given area. This one is a bit more obscure though.

Edit: Actually that's generally I guess triple click. Double to select a word.

by bangaladore

1/17/2025 at 6:17:12 PM

This. I have told my eighty-year-old parents this many times over the years, but it doesn't seem to stick.

by waltwalther

1/17/2025 at 6:33:17 PM

I see a lot of people doubleclicking on the web. Both young and old.

by Moru

1/17/2025 at 7:04:14 PM

I’ve tried to explain it many times too, but I can’t really articulate a good, comprehensive rule for when to single and when to double click.

by NotYourLawyer

1/17/2025 at 8:06:11 PM

Another complicating factor that many less-tech-literate don't have a good internal model for is window focus. I've seen several people try and single-click on a not focused web button, only for nothing to happen. When they click again, the button is activated. They then learn to always double click that button.

Having a mental model of "this button needs to be double clicked" gets them the result they want, even if that's not a very accurate reflection of the computer.

by cobbal

1/17/2025 at 9:33:32 PM

In theory: if you’re clicking on a UI element that has some notion of being selected, then a single-click selects it, and you need a double-click to take an action on it. If there’s no notion of selection, then a single click takes an action.

In practice: adherence to this ranges from perfect to abysmal. And users who don’t understand the computer well may not know how to think about whether a given UI element is selectable or not.

by wat10000

1/17/2025 at 8:32:25 PM

When you're on windows and not in the browser, you double-click to launch a file or program in the Explorer (which also is what runs the desktop). Single-click is select.

So, the rule:

List of files on your computer or desktop? Double-click. Otherwise? Don't.

by Pxtl

1/18/2025 at 4:27:28 PM

> When you're on windows and not in the browser

So many people have absolutely no concept of different windows let alone a browser. They run Chrome or IE maximized and that is "the Internet". They'll have tons of tabs open because they don't understand tabs and how to navigate them or that they can be closed.

A problem with billions of people using computers is that only a tiny fraction have working knowledge of them, an even smaller fraction understand them. Most people only understand operations by rote.

by giantrobot

1/17/2025 at 9:16:53 PM

What if I’m opening an email in Outlook? What if I’m looking at something in Control Panel? (That one’s a trick question, since the answer has changed in modern Windows versions.)

by NotYourLawyer

1/17/2025 at 10:25:36 PM

I'd say don't do that. Who reads emails?

Although seriously, I find I never break out of the preview in Outlook email. The only spot in Outlook where I really need to double-click is the calendar. Which is annoying.

by Pxtl

1/17/2025 at 7:59:45 PM

Web browsers and the applications on them have become extremely memory hungry. Memory management pauses are common and people click multiple times irately.

by kazinator