←back to thread

DoubleClickjacking: A New type of web hacking technique

(www.paulosyibelo.com)
237 points shinzub | 7 comments | 14 Jan 25 04:44 UTC | HN request time: 0.801s | source | bottom
1. janmo ◴[18 Jan 25 04:57 UTC] No.42745956[source]
There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

replies(3): >>42746226 #>>42750662 #>>42767868 #
2. HeliumHydride ◴[18 Jan 25 05:59 UTC] No.42746226[source]
The "Run" app appears right after pressing Win+R, so this wouldn't work.
replies(1): >>42746310 #
3. janmo ◴[18 Jan 25 06:21 UTC] No.42746310[source]
I tried it on a VM, it did work. [WIN + R] opens the run app down left in the left corner.

[CRTL + V] pastes a small code snippet in the run app and once [ENTER] is pressed it closes the run app and in the background downloads and executes a larger code snippet from a malicious website.

So if you press exactly what they told you to press it would install a malware on your computer. Now this typically targets people that don't even know what the run app is.

replies(1): >>42750446 #
4. begueradj ◴[18 Jan 25 18:52 UTC] No.42750446{3}[source]
There is the classic "drive by download attack" where you have nothing to press.
replies(1): >>42767878 #
5. yapyap ◴[18 Jan 25 19:18 UTC] No.42750662[source]
yeah, you paste malicious code into the run window (basically a powershell) and then paste in code. pretty obvious most of the time
6. account42 ◴[20 Jan 25 12:10 UTC] No.42767868[source]
Letting javascript manipulate the clipboard was a mistake. Yet another "feature" that's added for apps but absolutely useless for the web.
7. account42 ◴[20 Jan 25 12:11 UTC] No.42767878{4}[source]
I really hate that browsers have started to just download shit without asking you where to save it. "Convenience" my ass.