Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. "Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said. "While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie." Clickjacking, also called UI redressing, refers to an attack technique in which users are tricked into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data. DoubleClickjacking is a variation of this theme that exploits the gap between the start of a click and the end of the second click to bypass security controls and takeover accounts with minimal interaction. Specifically, it involves the following steps – The user visits an attacker-controlled site that either opens a new browser window (or tab) without any user interaction or at the click of a button. The new window, which can mimic something innocuous like a CAPTCHA verification, prompts the user to double-click to complete the step. As the double-click is underway, the parent site makes use of the JavaScript Window Location object…Read More