←back to thread

DoubleClickjacking: A New type of web hacking technique

(www.paulosyibelo.com)
237 points shinzub | 3 comments | 14 Jan 25 04:44 UTC | HN request time: 0.61s | source
Show context
janmo ◴[18 Jan 25 04:57 UTC] No.42745956[source]
There is also a technique where they ask you to press: [Win + R] + [CRTL + V] + [ENTER] to verify that you are human.

This will install malware code that was put in the clipboard by using javascript.

replies(3): >>42746226 #>>42750662 #>>42767868 #
HeliumHydride ◴[18 Jan 25 05:59 UTC] No.42746226[source]
The "Run" app appears right after pressing Win+R, so this wouldn't work.
replies(1): >>42746310 #
1. janmo ◴[18 Jan 25 06:21 UTC] No.42746310[source]
I tried it on a VM, it did work. [WIN + R] opens the run app down left in the left corner.

[CRTL + V] pastes a small code snippet in the run app and once [ENTER] is pressed it closes the run app and in the background downloads and executes a larger code snippet from a malicious website.

So if you press exactly what they told you to press it would install a malware on your computer. Now this typically targets people that don't even know what the run app is.

replies(1): >>42750446 #
2. begueradj ◴[18 Jan 25 18:52 UTC] No.42750446[source]
There is the classic "drive by download attack" where you have nothing to press.
replies(1): >>42767878 #
3. account42 ◴[20 Jan 25 12:11 UTC] No.42767878[source]
I really hate that browsers have started to just download shit without asking you where to save it. "Convenience" my ass.