What Is Double Clickjacking?
Double Clickjacking is a browser-based cyberattack technique where users are tricked into clicking hidden elements on a website twice leading to unintended actions such as changing settings, granting permissions, or initiating transactions.
It builds upon the traditional Clickjacking method, where attackers overlay invisible elements on top of visible, seemingly harmless buttons. In Double Clickjacking, two sequential clicks are used to make the attack appear more legitimate and reduce user suspicion.
Check out other web browser attacks here.
How Does a Double Clickjacking Attack Work?
Step 1: The Setup – Deceptive Engagement
The attacker creates a malicious webpage that displays a non-suspicious button such as “Claim Your Reward” or “Next”. This button is often visually enticing, prompting users to engage.
Underneath or overlaid on this button is an invisible iframe containing a sensitive interface element from a legitimate third-party service.
For example:
- An OAuth permission prompt (e.g., Google, Facebook)
- A browser extension install confirmation
- A crypto transaction approval window
The iframe is precisely aligned with the visible button to capture the user’s click in just the right place.
Step 2: First Click – Context Switch Begins
When the user clicks the visible button, the attacker uses JavaScript to trigger a window event or a frame switch:
- The top layer (such as a CAPTCHA or prompt) closes or moves.
- The underlying iframe or window is now exposed but the user still believes they’re interacting with the original content.
- The user is encouraged (or trained) to click again immediately, completing the second part of the action.
Step 3: Second Click – The Real Exploit
The second click lands directly on a sensitive element from the legitimate site, such as:
- The “Allow” button on an OAuth request
- The “Install” confirmation for a browser extension
- The “Confirm” button for a crypto wallet transaction
- The “Proceed” action for a bank transfer or account deletion
The user, unaware of this bait-and-switch, has just authorized a potentially dangerous action.
The Objectives Behind Double Clickjacking Attacks
Double clickjacking tricks users into performing unintended actions by exploiting multiple clicks. Here’s a look at the main objectives of these attacks:
Triggering Unwanted Actions: The attacker manipulates the user’s clicks to execute harmful actions like changing security settings or making unauthorized transactions.
Exploiting User Trust: By masking malicious content with legitimate websites, attackers deceive users into thinking they’re interacting with trusted content.
Bypassing Authentication: Double clickjacking can bypass security mechanisms, allowing attackers to perform actions that would normally require authentication, such as altering account settings.
Exploiting Weak Web Features: Attackers target insecure features in web applications (like payment systems) to initiate unauthorized actions.
Stealing Sensitive Information: Attackers can create fake forms to collect login credentials, credit card details, or other sensitive data.
Compromising User Accounts: Double clickjacking can lead to long-term account compromise, including unauthorized transactions or account hijacking.
Why Double Clickjacking Is So Dangerous
Complexity of Detection: Because double clickjacking involves two clicks, the attack may be harder for the user to recognize. The first click appears harmless, so users are less likely to notice that something is wrong until it’s too late.
Bypasses One-Click Protections: Many modern web security controls are designed to intercept or challenge single click events. Double clickjacking uses timing gaps and window manipulation to chain two clicks in a way that evades these defenses.
Exploiting Trusted Websites: This attack allows the attacker to exploit trusted sites and trick users into performing actions they didn’t intend, such as transferring money or granting harmful permissions.
Security Impact: Successful double clickjacking attacks can lead to unauthorized actions, data breaches, and loss of control over personal or financial information, all of which can cause significant harm to users and organizations.
How to Protect Against Double Clickjacking
Double clickjacking bypasses traditional browser security by exploiting timing gaps between user interactions. While standard measures like X-Frame-Options headers and frame-busting scripts are essential, they alone aren’t enough to stop this evolving threat. Organizations need a more intelligent, layered defense.
Here are key strategies to defend against double clickjacking:
1. Content Security Policy (CSP): CSP is a more flexible approach that allows administrators to define which content can be loaded on a website. By specifying frame-ancestors ‘none’ or frame-ancestors ‘self’, organizations can prevent their site from being embedded in any iframe or limit framing to only their own domain.
CAPTCHAs: Implementing CAPTCHA on sensitive actions (such as submitting forms or logging in) can prevent automated double clickjacking attacks. Since CAPTCHA requires user interaction, it adds a layer of complexity for attackers to bypass.
Preventing UI Redressing: Developers can implement interaction design techniques that make it difficult for attackers to cover legitimate UI elements with invisible or disguised iframes. For example, using fixed layouts and avoiding sensitive actions like buttons or form submissions on top of clickable elements can minimize the risk.
User Interaction Validation: It’s important to validate user actions before performing sensitive operations. For instance, a double-click or confirmation dialog asking users to validate their intent before proceeding with important actions (like submitting forms or transferring funds) adds an extra layer of security.
JavaScript Monitoring: This technique involves running scripts on the client side that continuously monitor the integrity of the webpage’s layout and user interaction layers. If any unauthorized iframe overlays, hidden elements, or suspicious frame manipulations are detected—common signs of double clickjacking—these scripts can immediately block the action, alert the system, or stop the page from loading.
AppTrana WAAP’s client-side protection strengthens this layered defense by monitoring JavaScript behavior in real time, ensuring that only trusted scripts are executed. It provides visibility into browser-side activity and helps block malicious iframes or injected scripts commonly used in clickjacking attacks.
