Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

DoubleClickjacking: The two-click hack that could hijack your accounts

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons

byKerem Gülen
January 2, 2025
in News, Cybersecurity
Home News
Share on FacebookShare on TwitterShare on LinkedInShare on WhatsAppShare on e-mail
Google Preferred Source

A new cyber threat known as DoubleClickjacking has emerged, exploiting a two-click sequence to bypass existing web security protections and potentially leading to account takeovers across major websites. Discovered by security researcher Paulos Yibelo, this sophisticated attack manipulates the timing between clicks, presenting significant risks to users.

New cyber threat DoubleClickjacking exploits clicks for account takeovers

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons. Traditional defenses have been strengthened in modern browsers—such as setting cookies to “SameSite: Lax” by default—yet DoubleClickjacking circumvents these measures. The attack involves a subtle manipulation where users are tricked into double-clicking on a benign prompt. During this sequence, attackers exploit the event timing to swap the content of the parent browser window with a sensitive page, such as an OAuth authorization dialog, thus allowing malicious actions to be authorized with the second click.

DoubleClickjacking builds on the concept of clickjacking, which typically misleads users into unknowingly clicking on hidden or disguised buttons
Image: Paulos Yibelo

The process starts when an unsuspecting user visits an attacker’s site, led to believe they must double-click to verify they are not a robot. Upon clicking, the new window opens, and as the user prepares to double-click, the parent site’s content is altered. The closing of the top window on the first click and the landing on a sensitive element with the second click permits attackers to gain unauthorized access to accounts.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

Affected websites are at risk of account takeovers, unauthorized application access with extensive data privileges, and alterations to critical account settings or financial transactions. Major websites relying on OAuth, including Salesforce, Slack, and Shopify, have been highlighted as vulnerable to this attack.

While traditional defenses like X-Frame-Options headers and Content Security Policies are designed to thwart clickjacking, they fail against DoubleClickjacking. The exploit requires minimal user interaction—a mere double-click—making it particularly deceptive. Furthermore, it extends beyond websites, also threatening browser extensions like crypto wallets or VPNs, potentially allowing attackers to disable security features or authorize financial transactions.

To mitigate this risk, several strategies are recommended. Developers can implement client-side protections, such as disabling sensitive buttons by default until intentional user action is detected. For instance, a JavaScript solution can keep buttons disabled until mouse movement or key presses occur. Long-term, browser vendors are urged to introduce new standards similar to X-Frame-Options, including a Double-Click-Protection HTTP header, to guard against this exploit.


Featured image credit: Kerem Gülen/Midjourney

Tags: Cybersecurity

Related Posts

Why the HPE and Trustwise Partnership Sets the New Blueprint for Enterprise AI Governance

Why the HPE and Trustwise Partnership Sets the New Blueprint for Enterprise AI Governance

July 7, 2026
Android backup data now affects Google account storage

Android backup data now affects Google account storage

July 7, 2026
Apple adds Siri voice controls in iOS 27 beta

Apple adds Siri voice controls in iOS 27 beta

July 7, 2026
Nintendo to end Switch sales in Europe in 2027

Nintendo to end Switch sales in Europe in 2027

July 7, 2026
Samsung confirms One UI 9 Beta 4 release for next week

Samsung confirms One UI 9 Beta 4 release for next week

July 6, 2026
Sony to keep producing discs for pre-2028 PlayStation games

Sony to keep producing discs for pre-2028 PlayStation games

July 6, 2026

LATEST NEWS

Why the HPE and Trustwise Partnership Sets the New Blueprint for Enterprise AI Governance

Android backup data now affects Google account storage

Apple adds Siri voice controls in iOS 27 beta

Nintendo to end Switch sales in Europe in 2027

Samsung confirms One UI 9 Beta 4 release for next week

Sony to keep producing discs for pre-2028 PlayStation games

BEST AI MODELS LEADERBOARD

See the best AI models, ranked by intelligence, benchmark results, speed and token price. Find the most suitable LLMs, Text-to-Image, Image Editing, Text-to-Speech, Text-to-Video and Image-to-Video  artificial intelligence model for your tasks and business.

LATEST TOOLS

Exer AI

AI Passport Photos

Studdy

Mobirise

Vee

Teach Anything

AssemblyAI

Kaiber

KitchenGPT

Dupdub

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI tools
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies to improve your experience. You can choose to accept or reject them. Visit our Privacy Policy.