Double clicking danger - experts warn just two clicks can let attackers steal your accounts

Robotic hand clicking on captcha 'I am not a robot'.

(Image credit: Getty Images)

Researcher Paulos Yibelo uncovers new attack targeting users
The attack makes use of fake CAPTCHA notification pages
Users are encouraged to 'double click' while the attacker swaps in a malicious page

A new technique is helping attackers steal user accounts, often without the victim even noticing, experts have warned.

The attack, dubbed ‘DoubleClickjacking’, was disclosed by security researcher and bug hunter Paulos Yibelo, and is an evolution of well established ‘Clickjacking’ tactics, which have been around for over a decade.

Since modern browsers have mitigated the click jacking risk by no longer sending cross-site cookies, single click hacks have become less common for hackers. Threat actors have stepped up their game, by adding in a second click.

Sleight of hand

The technique works by encouraging users to ‘double click’, namely by posing as ‘CAPTCHA’ notifications, asking for verification with a double click.

However, unbeknownst to the victim, the small gap in between the first and second clicks is being leveraged against them, as the attacker has opened a new window, usually the ‘captcha notification’ page, which is then swapped out for a malicious site in the second between the first and second clicks, in a 'sleight of hand type trick’.

The danger in this attack is pretty clear, as most defenses aren’t designed to handle double-clicking - and protections in Web Apps and frameworks are bypassed. The technique can also be used on mobile sites, asking targets to ‘double tap’.

DoubleClickjacking can be used to obtain API & OAuth permissions for many major sites, and is ‘extremely rampant’ according to the researcher. This can lead to serious consequences for the victim, especially since it requires such minimal user interaction.

“DoubleClickjacking is a sleight of hand around on a well-known attack class. By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye,” Yibelo noted.

Take a look at our pick of the best malware removal software around
Google Chrome extensions hack may have started much earlier than expected
Check out our choices for best antivirus software

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.