Nearly all major websites could have their clickjacking defenses evaded and accounts taken over through the novel DoubleClickJacking attack technique, which takes advantage of the interval between the beginning of a click and the end of the second click, The Hacker News reports.
Attacks using DoubleClickJacking commence with visits to a malicious site redirecting to a new tab or window without any user interaction, which will be followed by a CAPTCHA verification triggering a double-click that prompts the exploitation of the JavaScript Window Location object to redirect to another malicious page while enabling access permissions without user knowledge, according to an analysis from security researcher Paulos Yibelo. "DoubleClickjacking adds a layer many defenses were never designed to handle. Methods like X-Frame-Options, SameSite cookies, or CSP cannot defend against this attack," said Yibelo. Web browser vendors have been urged to leverage new anti-clickjacking defense standards to protect against DoubleClickJacking.
