Avoid Repeated Clicks Caution Issued for Chrome, Edge, Safari due to Latest Cyberthreat
Avoid Repeated Clicks Caution Issued for Chrome, Edge, Safari due to Latest Cyberthreat
Update, January 4, 2025: This article, initially published on January 3, now contains additional information concerning the escalating threat of double-clickjacking hack attacks, as well as a comment from a security expert on the evolution of such cyber attacks.
Millions of internet users have been alerted to a fresh and hazardous cyber invasion that is not discriminatory towards browsers—provided you double-click. Here's everything you need to know about the double-clickjacking hack attack.
Double-Click Warning: New Hack Invasion Confirmed
Paulos Yibelo, an application security and client-side offensive exploit researcher with a long-standing history of exposing vulnerabilities and emerging security threats, has disclosed what appears to be a novel attack methodology with global reach—millions of web browser users. In a detailed blog post outlining the concept of double clickjacking, Yibelo explains in technical terms how hackers can gain access to your credentials even if you double-click in Chrome, Edge, Safari, or most any web browser client.
This entirely new attack vector is made possible by the fact that hackers can trick the user of nearly any website and web browser into double-clicking without even realizing they're doing so. A brand-new twist on the old clickjacking attack, which involved various techniques to induce users to click on hidden or otherwise obscured web page elements, double clickjacking circumvents existing protections by relying on the timing between double-clicks to induce the user to authenticate an account or perform some other account-authorizing action, while believing they are clicking something else, say a CAPTCHA, present on the screen at the time. In essence, a new window pops up, and the user is prompted to double-click on a prompt just as the hacker switches the context to a different window altogether. To put it another way, the user thinks they are clicking something innocent, but the hacker is deploying a different and potentially harmful action.
I reached out to Apple, Google, and Microsoft for comment.
Why the Double-Clickjack Hack Is So Dangerous
"It may seem like a minor change," Yibelo noted, but "double clickjacking opens the door to new UI manipulation attacks that bypass all known clickjacking protections.” According to Yibelo, here are a few reasons why the hack attack is so perilous:
- By circumventing existing clickjacking protections.
- Affecting websites and crypto wallets, as well as smartphone invasions.
- Providing a new attack surface for hackers to explore.
- Making virtually every website susceptible to this hack attack by default.
- Requiring only a double-click from the target for the attack to succeed.
Yibelo described double-clickjacking as a "sleight of hand" around an established attack class, emphasizing how attackers can swap out harmless UI elements for sensitive ones almost instantaneously by exploiting the timing between double-clicks. As a result, developers and security teams must maintain more stringent control over embedded windows and opener-based windows and monitor for suspicious activities such as multi-click patterns.
The Evolution of Hack Attacks Presents Additional Challenges for Defenders
Unsurprisingly, news of this double-clickjacking hack attack has sparked concern among users and cybersecurity specialists alike. "The declines in ransomware and malware over the past year should not lull people into a false sense of security," Spencer Starkey, an executive vice president at content control and network security provider SonicWall, asserted, "hackers have simply changed their tactics." There is no doubt that cyber attacks are continually evolving, and this double-clickjacking hack attack is evidence of this growth. "Due to the speed at which new attacks are being created, they are more adaptive and difficult to detect,” Starkey stated, "which poses an additional challenge for cybersecurity professionals." From a business standpoint, this means proactively monitoring networks for suspicious activity to minimize risk. "The sooner teams can flag a potential issue," Starkey concluded, "the lower the risk of an attack."
In terms of attack mitigation, Yibelo advised, "I've reported this issue to some sites, with varied results—most have chosen to address it, while others have opted not to." For users, the present advice is to refrain from double-clicking unless you want to avoid falling prey to this new hack attack until in-browser mitigations are available.
The recent disclosure by Paulos Yibelo has warned web users of a new hack attack method known as double-clickjacking, which bypasses existing clickjacking protections and can potentially harm users in Chrome, Edge, Safari, and other web browsers.Double-clickjacking exploits the timing between double-clicks to induce users into performing account-authorizing actions without their knowledge, making virtually every website susceptible to this hack attack by default.Security experts like Spencer Starkey have expressed concern over the escalating threat of double-clickjacking hack attacks, emphasizing that the evolution of hack attacks presents additional challenges for defenders and requiring proactive network monitoring to minimize risk.Microsoft, Google, and Apple have been contacted for comment on the double-clickjacking hack attack, but no official response has been made yet.To avoid falling victim to double-clickjacking until in-browser mitigations are available, users are advised to refrain from double-clicking unnecessarily on web pages.