[HN Gopher] A New type of web hacking technique: DoubleClickjacking
___________________________________________________________________
A New type of web hacking technique: DoubleClickjacking
Author : shinzub
Score : 103 points
Date : 2025-01-14 04:44 UTC (3 days ago)
(HTM) web link (www.paulosyibelo.com)
(TXT) w3m dump (www.paulosyibelo.com)
| gnabgib wrote:
| Title: _DoubleClickjacking: A New Era of UI Redressing_
| efortis wrote:
| I think the suggested mitigation will only work when the user
| double-clicks without moving the mouse.
|
| So I'd try adding a small timeout when the tab is visible:
| document.addEventListener("visibilitychange", () => { if
| (!document.hidden) setTimeout(enableButtons, 200)
| })
| efortis wrote:
| and `disableButtons` on `document.hidden`
| IshKebab wrote:
| Eh, it's hardly seamless, and double clicking is extremely
| uncommon on the web so that would be a big red flag.
| giantrobot wrote:
| Double clicking on the web is extremely common with older less
| technically adept users. This same cohort is also the most
| susceptible to scams.
| waltwalther wrote:
| This. I have told my eighty-year-old parents this many times
| over the years, but it doesn't seem to stick.
| Moru wrote:
| I see a lot of people doubleclicking on the web. Both young
| and old.
| NotYourLawyer wrote:
| I've tried to explain it many times too, but I can't really
| articulate a good, comprehensive rule for when to single
| and when to double click.
| cobbal wrote:
| Another complicating factor that many less-tech-literate
| don't have a good internal model for is window focus.
| I've seen several people try and single-click on a not
| focused web button, only for nothing to happen. When they
| click again, the button is activated. They then learn to
| always double click that button.
|
| Having a mental model of "this button needs to be double
| clicked" gets them the result they want, even if that's
| not a very accurate reflection of the computer.
| Pxtl wrote:
| When you're on windows and not in the browser, you
| double-click to launch a file or program in the Explorer
| (which also is what runs the desktop). Single-click is
| select.
|
| So, the rule:
|
| List of files on your computer or desktop? Double-click.
| Otherwise? Don't.
| NotYourLawyer wrote:
| What if I'm opening an email in Outlook? What if I'm
| looking at something in Control Panel? (That one's a
| trick question, since the answer has changed in modern
| Windows versions.)
| Pxtl wrote:
| I'd say don't do that. Who reads emails?
|
| Although seriously, I find I never break out of the
| preview in Outlook email. The only spot in Outlook where
| I really _need_ to double-click is the calendar. Which is
| annoying.
| wat10000 wrote:
| In theory: if you're clicking on a UI element that has
| some notion of being selected, then a single-click
| selects it, and you need a double-click to take an action
| on it. If there's no notion of selection, then a single
| click takes an action.
|
| In practice: adherence to this ranges from perfect to
| abysmal. And users who don't understand the computer well
| may not know how to think about whether a given UI
| element is selectable or not.
| bangaladore wrote:
| Another obvious case of double click is to select all text in
| a given area. This one is a bit more obscure though.
|
| Edit: Actually that's generally I guess triple click. Double
| to select a word.
| Etheryte wrote:
| I couldn't even begin to count how many bug reports I've seen
| over the years that start with "when I accidentally double-
| click foo, bar happens". It might not be an intentional usage
| pattern, sure, but that doesn't mean it doesn't happen a lot.
| kevinsync wrote:
| Yeah, I have no data beyond anecdotal to back this up, but I
| witness A LOT of people double-clicking everything,
| regardless of what it is. I assume it's because they only got
| so far in "computer" as to learn "click + drag to move,
| double-click to open a program or file". Link on a web page?
| I want to open that!
| doublerabbit wrote:
| > double clicking is extremely uncommon on the web so that
| would be a big red flag.
|
| You've never had a slow internet connection have you? I've seen
| double clicking from all users in the office. Comes from
| frustration.
|
| How many times have you tried to open an application; for it
| not open? So you click the icon again only for two windows to
| split open?
|
| Young, old, even techs. It's not as uncommon as you think.
| portaouflop wrote:
| I've even triple or quadruple clicked sometimes with
| disastrous results
| uhoh-itsmaciek wrote:
| Google Drive uses it as an interaction pattern. I find that
| baffling, but while uncommon, it's not totally absent. And as
| others have pointed out, many users carry over their
| expectation of having to double-click from desktop interfaces.
| kazinator wrote:
| Web browsers and the applications on them have become extremely
| memory hungry. Memory management pauses are common and people
| click multiple times irately.
| recursive wrote:
| I double click to select text all the time. Get your flags
| ready.
| bangaladore wrote:
| I'd laugh if an effective way to present this is:
|
| CAPTCHA:
|
| Please copy `qwertyuiopasdfhkl`
|
| Into here `<textbox>`
|
| Edit: Quick (ai mockup) concept... https://imgur.com/mc0IdEA
| Obviously it would be most effective with a longer string
| though.
| sharpshadow wrote:
| New fear unlocked lazy cookie consent banners.
| yellow_lead wrote:
| Am I mistaken or does this require the user to allow pop-ups?
| gruez wrote:
| Default configuration for most browsers is to allow popups if
| it was initiated by a user action.
| krunck wrote:
| Browser content should never be able to modify the configuration
| of my desktop window layout by opening a new window. There I said
| it.
| NoMoreNicksLeft wrote:
| Agreed, but I think this was a workaround for early web apps
| that existed in the primitive days. You'd need two webpages of
| the same site open to complete some task, but the apps weren't
| sophisticated enough to do that within a single window/tab.
| Once they did it back then, now too many web apps and workflows
| would suffer if they just killed that functionality entirely,
| too many users would scream.
| KTibow wrote:
| TFA doesn't use separate windows, only separate tabs.
| maxrmk wrote:
| This is clever, and I got a good laugh out of their example
| video. The demo UI of "Double click here" isn't very convincing -
| I bet there's a version of this that gets people to double click
| consistently though.
| bee_rider wrote:
| Hmm. I guess it is never impossible that there's a version of
| something that will trick people consistently. But, I'm kinda
| struggling to recall a time I've needed to double click on a
| website.
|
| Actually the double-click action is pretty rare nowadays,
| right? In particular, I use it a lot to select a word in a
| terminal, but most of the time when I am getting UI
| instructions it is from a website about how to use the website
| itself, and since that's a website it has to be abstract enough
| to also make sense for mobile users.
|
| Telling people to double click is, I think, mostly dead.
| chatmasta wrote:
| It doesn't need to be a literal double click. It could be
| something like a CAPTCHA "confirm you're human," where you
| click once, it appears to load, and then you click a confirm
| button. Do it fast enough and it might appear like a double
| click.
|
| Not sure this would work with the exploit though.
| foobazgt wrote:
| My mother constantly struggles between when to double click
| or not after decades of using computers. This is probably an
| issue that will die out with her generation, though.
|
| Entirely separate, a common failure mode of dying mice is
| that they start generating spurious clicks. I've had a couple
| of logitechs do this to me. And the thing about scams is you
| can often legit make money off of very low success rates.
| JadeNB wrote:
| > Entirely separate, a common failure mode of dying mice is
| that they start generating spurious clicks.
|
| Speaking of things dying out, it's been so long since I
| used anything but a trackpad that I thought at first this
| was some strange claim about rodents!
| dylan604 wrote:
| Google drive and similar sites use double click for folders
| to open similar to a regular OS would. Single click tends to
| show some metadata where the double click does the actual
| navigation.
|
| it pisses me off
| chatmasta wrote:
| The exploit would be more effective if it obfuscated the UI on
| the authorization (victim) page. Right now, even if you double
| click a convincing button, it's extremely obvious that you just
| got duped (no pun intended).
|
| Sure, maybe the attacker can abuse the access privileges before
| you have a chance to revoke them. But it's not exactly a smooth
| clickjacking.
|
| I'd start by changing the dimensions of the parent window
| (prior to redirecting to victim) to the size of the button on
| the target page - no need to show everything around it
| (assuming you can make it scroll to the right place). And if
| the OAuth redirects to the attacker page, it can restore the
| size to the original.
|
| Back in the day, this trick was used for clickjacking Digg
| upvotes.
| joshfraser wrote:
| You can change the visibility of the target page so they
| wouldn't know
| bangaladore wrote:
| Bit off topic, but what's the reasoning behind messing with the
| native browser scroll here. Almost gets me motion sick when
| scrolling through this article.
| technion wrote:
| Marketing people have demanded this on many websites sites I've
| been involved with. Don't ask me why.
| dmix wrote:
| What is it? Smooth scrolling?
| bangaladore wrote:
| From the html:
|
| // SmoothScroll for websites v1.2.1
| braiamp wrote:
| And this is why NoScript is a required extension. Matrix
| if you use Chromium based browsers.
| hombre_fatal wrote:
| You'd think the library would first check for macOS/iOS
| which already has far superior smooth scrolling.
| ndriscoll wrote:
| Maybe the industry should develop a secret header we can all
| have our browser send to disable this sort of thing. Like
| `X-Shibboleet: true`.
| btown wrote:
| My hypothesis on this is that marketers who have personal
| MacBooks but are forced to use Windows computers at work,
| with mice with notched scroll wheels, find JS-driven smooth
| scrolling to be superior to the native snapping experience
| they see at work on many websites. But it wreaks havoc on
| people who already have computers with native high-resolution
| trackpads. Alas, the folks at big companies care more about
| their at-work than at-home experience, and it's been cargo-
| culted to smaller companies now as well. The conversation
| "detect if there is indeed a trackpad being used" never even
| comes up.
| packtreefly wrote:
| It is the height of irony to me that a blog post complaining
| about clickjacking is presented on a website that is guilty of
| scrolljacking.
| thoughtpalette wrote:
| I thought the same. Glad to see it called out here. Maybe
| that's the post for next week...
| mediumsmart wrote:
| the scrolling is almost normal in librewolf - but that is
| with privacy badger blocking 14 trackers on that page ...
| gwbas1c wrote:
| I'm a little skeptical that this is a real exploit.
|
| When I watched the Salesforce video, _the exploit was
| demonstrated by pointing the browser at a file on disk,_ not on a
| public website. I also don 't understand the "proof," IE,
| something showed up in the salesforce inbox, but I don't
| understand how that shows that the user was hacked. It appears to
| be an automated email from an identity provider.
|
| I also don't understand when the popup is shown, and what the
| element is when the popup is closed.
|
| Some slow-mo with highlighting on the fake window, and the "proof
| of exploit," might make this easier to understand and demonstrate
| akersten wrote:
| It's also not a novel threat model. For example prior art, the
| browser confirmation dialogs in Firefox at least don't enable
| their buttons until the window has had focus for 500ms or so.
| Possibly to avoid inadvertently unintentionally clicking "run"
| on a recently downloaded item, but it solves for this too and I
| wouldn't be shocked if this was on their mind too.
|
| If I were running some site where pressing a button does some
| kind of auth that I really want a user to read, that seems like
| a reasonable mitigation compared to the hyperbole found in the
| article:
|
| > This technique seemingly affects almost every website
| Vortigaunt wrote:
| Thankfully this shouldn't become a large problem, because
| websites simply don't load that quick
| joshfraser wrote:
| It could be preloaded
| joshfraser wrote:
| Back in 2013 I discovered that you could use clickjacking to
| trick someone into buying anything you wanted from Amazon
| (assuming they were signed in). It took them almost a year to fix
| the issue. They never paid me a bounty.
|
| https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/
___________________________________________________________________
(page generated 2025-01-17 23:01 UTC)