Hacker Remix

DoubleClickjacking: A New type of web hacking technique

116 points by shinzub 4 days ago | 60 comments

joshfraser 3 hours ago

Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.

https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/

superq 2 hours ago

On that note, https://github.com/aws/aws-codedeploy-agent/issues/30

paulpauper 2 hours ago

Bug bounties are kind of a joke. they will invent almost any reason to not pay. it has to be something where the site is malfunctioning, not CSS tricks, which has to do with the browser , not the vendor. Clickjacking can work on any site, not just Amazon.

maxrmk 6 hours ago

This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.

seanwilson 58 minutes ago

Why stop at double-click? "Click here 10 times quickly to confirm you're human". Or some kind of clicker game.

temporallobe 36 seconds ago

Like in reCAPTCHA (v2 at least) where it asks users to click on tiles to identify common objects like bridges or motorcycles. Surely one could conjure up a fake version of this.

chatmasta 4 hours ago

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

joshfraser 4 hours ago

You can change the visibility of the target page so they wouldn't know

chatmasta 2 hours ago

How? You don't control the DOM on that. You can adjust the window prior to changing its location but that's it.

bee_rider 4 hours ago

Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.

Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.

Telling people to double click is, I think, mostly dead.

hansvm 2 hours ago

YouTube gets me to double-click on occasion:

- The page mostly loads

- An ad starts playing

- I attempt to hit "pause" while I go handle a thing or two [0]

- As I'm about to click "pause", the layout shifts to the left exactly enough for me to unmute the ad

- I immediately click again to stop listening to whatever scam is currently being peddled

[0] For some videos I like to read the description before watching. For all videos I like to make it as obvious as possible to Google that there isn't a real person watching the ad (browser not focused, ad muted, ...).

foobazgt 4 hours ago

My mother constantly struggles between when to double click or not after decades of using computers. This is probably an issue that will die out with her generation, though.

Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.

JadeNB 3 hours ago

> Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks.

Speaking of things dying out, it's been so long since I used anything but a trackpad that I thought at first this was some strange claim about rodents!

chatmasta 4 hours ago

It doesn’t need to be a literal double click. It could be something like a CAPTCHA “confirm you’re human,” where you click once, it appears to load, and then you click a confirm button. Do it fast enough and it might appear like a double click.

Not sure this would work with the exploit though.

dylan604 4 hours ago

Google drive and similar sites use double click for folders to open similar to a regular OS would. Single click tends to show some metadata where the double click does the actual navigation.

it pisses me off

Vortigaunt 4 hours ago

Thankfully this shouldn't become a large problem, because websites simply don't load that quick

joshfraser 4 hours ago

It could be preloaded

efortis 4 days ago

I think the suggested mitigation will only work when the user double-clicks without moving the mouse.

So I'd try adding a small timeout when the tab is visible:

  document.addEventListener("visibilitychange", () => {
    if (!document.hidden)
      setTimeout(enableButtons, 200)
  })

efortis 4 hours ago

and `disableButtons` on `document.hidden`