←back to thread

DoubleClickjacking: A New type of web hacking technique

(www.paulosyibelo.com)
134 points shinzub | 2 comments | 14 Jan 25 04:44 UTC | HN request time: 0.407s | source
1. gwbas1c ◴[17 Jan 25 20:28 UTC] No.42742918[source]
I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

replies(1): >>42743027 #
2. akersten ◴[17 Jan 25 20:41 UTC] No.42743027[source]
It's also not a novel threat model. For example prior art, the browser confirmation dialogs in Firefox at least don't enable their buttons until the window has had focus for 500ms or so. Possibly to avoid inadvertently unintentionally clicking "run" on a recently downloaded item, but it solves for this too and I wouldn't be shocked if this was on their mind too.

If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:

> This technique seemingly affects almost every website