Avoid Double-Tapping: Recent Alert for Potential Vulnerabilities in Chrome, Edge, and Safari
Update, Jan. 5, 2025: This article, originally published Jan. 3, now includes information about clickjacking as a potential threat surface, as well as additional details about the double-clickjacking hack itself and a warning from a security expert about the evolution of such attacks.
Millions of internet users have been alerted to a new and hazardous cyber attack that does not discriminate based on the browser being used, as long as the user clicks twice. Here's everything you need to know about the double-clickjacking hack attack.
Double Clickjacking Warning: New Hack Attack Confirmed
Paulos Yibelo, a renowned application security and client-side offensive exploit researcher with a history of discovering vulnerabilities and novel security threats, has revealed what may be the most extensive attack methodology to date—affecting every web browser user. In a blog post detailing what's known as double clickjacking, Yibelo explains how hackers can exploit your login credentials through double-clicking in Chrome, Edge, Safari, or any major web browser client.
This entirely new threat is made possible by the fact that hackers can trick users into clicking something unwittingly on nearly any website or web browser. Clickjacking became ineffective when browser developers implemented protections to prevent just such an attack. Double clickjacking, however, circumvents these protections by relying on mouse double-click timing to manipulate the user into validating a login or authorizing an account, all while believing they are clicking something else, such as a CAPTCHA, on the screen at the time. The TL;DR is that a new window is opened, and the user is asked to double-click on a prompt, only for the hacker to switch contexts to a different window in a blink of an eye.
I reached out to Apple, Google, and Microsoft for comment.
What is a Clickjacking Hack Attack?
A clickjacking hack attack, in layman's terms, employs various methods to get users to click on invisible or otherwise disguised web page elements. Such attacks typically rely on an invisible HTML element, which could even be a completely hidden web page by itself, within an iframe. The purpose of an iframe is to display a web page within a web page, effectively layering one on top of another. Because the user sees the underlying page, they believe they are clicking what they see, but they are actually clicking on an invisible element on top of it.
Over the years, researchers at security firm Imperva have identified several clickjacking variations, such as likejacking and cursorjacking. Likejacking involves manipulating a like button to trick users into liking a page without their knowledge. Cursorjacking is a user interface manipulation method that moves the user's cursor from where they believe it to be to another location entirely. While the dangers of these methods do not require explanation, they are no longer an issue since the vulnerabilities that allowed them have been addressed. Indeed, as previously mentioned, clickjacking itself has become all but obsolete due to the measures taken by major browser client developers to protect against such attacks. There is, however, a test you can run to determine if your site is vulnerable. This test uses code from the OWASP clickjacking defense sheet and looks like this:

The Dangers of the Double Clickjacking Hack
"While it may seem like a minor change," Yibelo said, double clickjacking "opens the door to new UI manipulation attacks that bypass all known clickjacking protections," and "affects almost every website, leading to account takeovers on many major platforms." Yibelo listed several reasons why the hack is so dangerous:
- It can bypass existing clickjacking protections.
- It can target more than just websites, with crypto wallets and smartphone attacks possible.
- It represents a new attack surface for hackers to exploit.
- All websites are, by default, vulnerable to this hack attack.
- It only requires the target to double-click, with no additional steps required.
Exploiting the Double Clickjacking Hack Technique
In his blog post detailing the double clickjacking hack methodology, Yibelo provides two examples of how the technique can be exploited by attackers. The first is by way of OAuth and API permissions. OAuth enables an application to access resources hosted on a different site and related to a different user. OAuth is the most secure method of doing this. Until it isn't. "Attackers could trick targets into authorizing a malicious application with extensive privileges," Yibelo warned, "this technique has unfortunately led to account takeovers in almost every site that supports OAuth - which is pretty much all major websites with an application programming interface support." Secondly, Yibelo said, there are one-click account change attacks that are similar to clickjacking in that double clickjacking "can be used to make the user click on account-setting changes, such as disabling security settings, deleting an account, or authorizing access or money transfers, etc."
"DoubleClickjacking is a sleight of hand around an established attack method," Yibelo said, "by exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye." This means that developers and security teams need to tighten their control over embedded or opener-based windows and be more vigilant about multi-click patterns.
Completely anticipated, the emergence of this dual-clickjacking hack assault has induced alarm amongst users and cybersecurity specialists. "The minor decline in ransomware and malware during the last year," commented Spencer Starkey, an executive vice president at content regulation and network security provider SonicWall, "shouldn't deceive anyone. Hackers have merely altered their strategies." It's undeniable that cyber attacks are continually advancing, as evident in both the posts I pen here at Our Website.com and the exploits that numerous individuals end up suffering from. "Due to the rapid pace at which new attacks are being developed," Starkey elaborated, "they are more adaptable and challenging to detect, posing an extra constraint for cybersecurity experts." From a top-tier business standpoint, this entails consistently scrutinizing networks for questionable activity. "The sooner teams can identify a potential issue," Starkey concluded, "the less the chance of an attack."
Regarding countermeasures, Yibelo mentioned, "I've reported this issue to several websites, but the results have been varied. Most have decided to tackle it while others have opted to ignore it." As for end-users, for now, the advice is to refrain from double-clicking to ensure avoiding becoming a victim of this novel hack assault until in-browser countermeasures are in place.
- Despite browser developers implementing protections against clickjacking, a new threat called double clickjacking has emerged, allowing hackers to exploit login credentials through double-clicking in popular web browsers like Chrome, Edge, and Safari.
- Following the revelation of double clickjacking by security researcher Paulos Yibelo, web users have been warned of this evolving attack methodology, which manipulates mouse double-click timing to trick users into validating login or authorizing actions without their knowledge.
- The cybersecurity community is expressing concern about this new hack attack, with SonicWall executive vice president Spencer Starkey noting that while ransomware and malware may have decreased, hackers are merely altering their strategies and developing new methods like double clickjacking.
- Google, Microsoft, and Apple have been contacted for comment on the double clickjacking hack, but it remains unclear if they have taken any measures to protect their users from this attack, which can bypass existing clickjacking protections and target various platforms beyond websites.
- As cybersecurity specialists scramble to develop countermeasures against double clickjacking, web users are advised to exercise caution and avoid double-clicking until in-browser protections are in place, to minimize the risk of becoming a victim of this sophisticated hack attack.