DoubleClickjacking: Bypassing All Clickjacking Protections
DoubleClickjacking is a novel attack exploiting the timing of double-click events to bypass all known clickjacking protections, including X-Frame-Options, CSP's frame-ancestors, and SameSite cookies. Attackers trick users into double-clicking a seemingly benign button, rapidly switching windows in milliseconds to hijack actions like authorizing malicious apps or changing account settings. It leverages the subtle timing difference between `mousedown` and `onclick` events, making it effective regardless of double-click speed. While some sites mitigate this by disabling buttons until user interaction (mouse movement or keyboard input) is detected, this requires client-side protection. Long-term solutions require new browser standards to defend against this.
Read more