Double-clickjack hack attacks strike.
Hundreds of millions of web users have been warned about a new and dangerous cyber attack that doesn’t care what browser you use—as long as you click twice. Here’s everything you need to know about the double-clickjacking hack attack.
Application security and client-side offensive exploit researcher Paulos Yibelo, with a long history of discovering vulnerabilities and novel security threats, has revealed what could be the new attack methodology with the biggest reach of them all—everyone using a web browser. In a blog post detailing what is referred to as double clickjacking, Yibelo describes in technical detail how hackers can compromise your credentials when you double-click in Chrome, Edge, Safari or just about any web browser client.
This entirely new threat surface is exposed by the fact that hackers can trick the user of almost any website and almost any web browser into clicking something without even realizing they are doing it. It’s a new take on the old clickjacking attack which employed various methods to get users clicking on hidden or otherwise obfuscated web page elements. Clickjacking became obsolete when browser developers built protections into their software to prevent just such an attack. Double clickjacking, however, gets around these protections by adding another layer of attack that relies upon mouse double-click timing to get the victim to validate a login or some other account authorization while thinking they are clicking something else, like a CAPTCHA, that is on the screen at the time. The TL;DR, in other words, is that a new window is opened, and the user is asked to double-click on a prompt while, in the blink of an eye, the hacker is switching context to a different window altogether.
I have approached Apple, Google and Microsoft for a statement.
“While it might sound like a small change,” Yibelo said, double clickjacking “opens the door to new UI manipulation attacks that bypass all known clickjacking protections,” and “seemingly affects almost every website, leading to account takeovers on many major platforms.” Yibelo highlighted the following reasons why the hack attack is so dangerous:
When it comes to attack mitigation, Yibelo said, “I’ve reported this issue to some sites, the results have been mixed. Most have chosen to address it while some have chosen not to.” As for end users, the advice for now has to be don’t click twice if you want to be sure not to fall victim to this new hack attack until in-browser mitigations are available.
One Community. Many Voices. Create a free account to share your thoughts.
Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.
In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.
Your post will be rejected if we notice that it seems to contain:
User accounts will be blocked if we notice or believe that users are engaged in:
So, how can you be a power user?
Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.
Français 
English