About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

DoubleClickjacking: A New Era of UI Redressing - 1644

Paulos YibeloPosted 10 Months Ago
  • Clickjacking, also known as the UI Redress attack, is a mechanism to steal clicks to perform sensitive actions on a website. This is done by iFraming the victim website in the attackers website and tricking the user to clicking on particular sensitive parts of the website. With SameSite: Lax, the framed website becomes unauthenticated, making this much harder to exploit. This article is a new variant of this called Double Clickjacking.
  • The main idea is doing some sleight of hand trickery to make this possible via exploiting the small gap between the start a click and the end of a click in multiple windows. By quickly swapping between pages, it's possible to get a user to click on something in an unintended fashion. The video is the best demonstration of it but it's very fast. There are some more complications to how this works though.
    1. The attacker creates an initial webpage. This opens a window.
    2. When the new window opens up, they ask the user to "double click" on it.
    3. Upon going to this page, the new window changes the parent window's location to the target page. This means that the parent window of our page while the top window shows the double-click prompt.
    4. When the user does the double click, the mousedown causes the top window (the current page) to close.
    5. The second click lands on the exposed authorization button on the parent window. With this, access has been granted.
  • The reason this works is because of the multiple parts each click. We can use part of the click and then force it to be someone else. Any sort of one click permissions can be abused on this, such as OAuth permissions or data sharing on Google Drive. This bypasses traditional clickjacking permissions like CSPs. This also isn't just about websites - it can affect chrome extensions as well.
  • To mitigate this, the author suggests disabling critical buttons unless a gesture is detected on that page. This ensures that the actions were meant for the particular page. For longer term solutions, a header could implemented that just resets all gestures. I really like that they thought of a good protection, which many folks wouldn't do.
  • The attack is really cool! I personally don't fully understand why each step happens but it's interesting none-the-less.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed