DoubleClickjacking: A New type of web hacking technique

(www.paulosyibelo.com)

133 points shinzub | 3 comments | 14 Jan 25 04:44 UTC | HN request time: 0s | source

Show context

maxrmk ◴[17 Jan 25 19:52 UTC] No.42742521[source]▶

This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.

replies(3): >>42743385 #>>42743421 #>>42744773 #

chatmasta ◴[17 Jan 25 21:24 UTC] No.42743421[source]▶

>>42742521 #

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

replies(1): >>42743818 #

1. joshfraser ◴[17 Jan 25 22:10 UTC] No.42743818[source]▶

>>42743421 #

You can change the visibility of the target page so they wouldn't know

replies(1): >>42744588 #

2. chatmasta ◴[18 Jan 25 00:11 UTC] No.42744588[source]▶

>>42743818 (TP) #

How? You don't control the DOM on that. You can adjust the window prior to changing its location but that's it.

replies(1): >>42745335 #

3. pockmarked19 ◴[18 Jan 25 02:43 UTC] No.42745335[source]▶

>>42744588 #

It’s an HN truth, it means it needs no evidence or explanation.

↑