Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

DoubleClickjacking: The two-click hack that could hijack your accounts

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons

byKerem Gülen
January 2, 2025
in News, Cybersecurity

A new cyber threat known as DoubleClickjacking has emerged, exploiting a two-click sequence to bypass existing web security protections and potentially leading to account takeovers across major websites. Discovered by security researcher Paulos Yibelo, this sophisticated attack manipulates the timing between clicks, presenting significant risks to users.

New cyber threat DoubleClickjacking exploits clicks for account takeovers

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons. Traditional defenses have been strengthened in modern browsers—such as setting cookies to “SameSite: Lax” by default—yet DoubleClickjacking circumvents these measures. The attack involves a subtle manipulation where users are tricked into double-clicking on a benign prompt. During this sequence, attackers exploit the event timing to swap the content of the parent browser window with a sensitive page, such as an OAuth authorization dialog, thus allowing malicious actions to be authorized with the second click.

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons
Image: Paulos Yibelo

The process starts when an unsuspecting user visits an attacker’s site, led to believe they must double-click to verify they are not a robot. Upon clicking, the new window opens, and as the user prepares to double-click, the parent site’s content is altered. The closing of the top window on the first click and the landing on a sensitive element with the second click permits attackers to gain unauthorized access to accounts.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

Affected websites are at risk of account takeovers, unauthorized application access with extensive data privileges, and alterations to critical account settings or financial transactions. Major websites relying on OAuth, including Salesforce, Slack, and Shopify, have been highlighted as vulnerable to this attack.

While traditional defenses like X-Frame-Options headers and Content Security Policies are designed to thwart clickjacking, they fail against DoubleClickjacking. The exploit requires minimal user interaction—a mere double-click—making it particularly deceptive. Furthermore, it extends beyond websites, also threatening browser extensions like crypto wallets or VPNs, potentially allowing attackers to disable security features or authorize financial transactions.

To mitigate this risk, several strategies are recommended. Developers can implement client-side protections, such as disabling sensitive buttons by default until intentional user action is detected. For instance, a JavaScript solution can keep buttons disabled until mouse movement or key presses occur. Long-term, browser vendors are urged to introduce new standards similar to X-Frame-Options, including a Double-Click-Protection HTTP header, to guard against this exploit.


Featured image credit: Kerem Gülen/Midjourney

Tags: Cybersecurity

Related Posts

ChatGPT reportedly reduces reliance on Reddit as a data source

ChatGPT reportedly reduces reliance on Reddit as a data source

October 3, 2025
Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

October 3, 2025
Light-powered chip makes AI computation 100 times more efficient

Light-powered chip makes AI computation 100 times more efficient

October 3, 2025
Free and effective anti-robocall tools are now available

Free and effective anti-robocall tools are now available

October 3, 2025
Choosing the right Web3 server: OVHcloud options for startups to enterprises

Choosing the right Web3 server: OVHcloud options for startups to enterprises

October 3, 2025
Z.AI GLM-4.6 boosts context window to 200K tokens

Z.AI GLM-4.6 boosts context window to 200K tokens

October 2, 2025

LATEST NEWS

ChatGPT reportedly reduces reliance on Reddit as a data source

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Light-powered chip makes AI computation 100 times more efficient

Free and effective anti-robocall tools are now available

Choosing the right Web3 server: OVHcloud options for startups to enterprises

Z.AI GLM-4.6 boosts context window to 200K tokens

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.