New “DoubleClickJacking” Exploit Bypasses Security Controls to Hijack Accounts

by Justin Erickson

Cybersecurity researchers have uncovered a novel attack method, dubbed “DoubleClickJacking,” that bypasses traditional clickjacking defenses. The technique tricks users into performing two clicks – the second click is the action threat actors want them to perform, and first is the bait placed above it in the same location on the page – allowing attackers to hijack accounts, change settings, and perform other unauthorized actions. To counter DoubleClickjacking, developers can use scripts that activate critical buttons only after users show intentional actions, like moving the mouse or typing. Future solutions might include browser-level protections, such as an HTTP header designed to prevent rapid context switching. In the meantime, developers should secure sensitive pages with available defensive tools and monitor for new attack methods.