Double-clickjack hack attacks strike.GettyUpdate, Jan. 5, 2025: This story, originally published Jan. 3, now includes an explanation of clickjacking as a threat surface along with additional information regarding the double-clickjacking hack itself and a warning from a security expert on how such attacks are evolving.Hundreds of millions of web users have been warned about a new and dangerous cyber attack that doesnt care what browser you useas long as you click twice. Heres everything you need to know about the double-clickjacking hack attack.Dont Click Twice Warning As New Hack Attack ConfirmedApplication security and client-side offensive exploit researcher Paulos Yibelo, with a long history of discovering vulnerabilities and novel security threats, has revealed what could be the new attack methodology with the biggest reach of them alleveryone using a web browser. In a blog post detailing what is referred to as double clickjacking, Yibelo describes in technical detail how hackers can compromise your credentials when you double-click in Chrome, Edge, Safari or just about any web browser client.This entirely new threat surface is exposed by the fact that hackers can trick the user of almost any website and almost any web browser into clicking something without even realizing they are doing it. Clickjacking became obsolete when browser developers built protections into their software to prevent just such an attack. Double clickjacking, however, gets around these protections by adding another layer of attack that relies upon mouse double-click timing to get the victim to validate a login or some other account authorization while thinking they are clicking something else, like a CAPTCHA, that is on the screen at the time. The TL;DR, in other words, is that a new window is opened, and the user is asked to double-click on a prompt while, in the blink of an eye, the hacker is switching context to a different window altogether.I have approached Apple, Google and Microsoft for a statement.What Is A Clickjack Hack Attack?A clickjacking hack attack, simply explained, is one that employs various methods to get users clicking on invisible or otherwise obfuscated, as in disguised as something else, web page elements. Such attacks were generally executed by using such an invisible HTML element, which could even be an entirely invisible web page itself, within something called an iframe. The whole point of an iframe is to display a web page within a web page, essentially. The point is that this element or page is displayed on top of another page, which the user sees, and so, while the user thinks they are clicking what they are looking at, they are actually clicking on an invisible element on top of it.Read More: Android Under AttackUsers Warned As FireScam Threat Evades DetectionA couple of different clickjacking variations seen over the years include, according to researchers at security firm Imperva, likejacking and cursorjacking. The first of these, likejacking, is when a like button is manipulated so as to trick a user into liking page without realizing they are doing so. The second, cursorjacking, is a user interface redressing method that changes the position of the cursor from where the victim thinks it is to somewhere else entirely. The dangers of this do not really need explaining. However, this is no longer an issue, as the various vulnerabilities that allowed it have long since been addressed. Indeed, as already mentioned, clickjacking itself has become all but obsolete thanks to protections applied by all the major browser client developers. There is, though, a test you can run to see if your site is vulnerable. This uses code that comes as part of the OWASP clickjacking defense sheet and looks like this:ImpervaWhy The Double Clickjack Hack Is So DangerousWhile it might sound like a small change, Yibelo said, double clickjacking opens the door to new UI manipulation attacks that bypass all known clickjacking protections, and seemingly affects almost every website, leading to account takeovers on many major platforms. Yibelo highlighted the following reasons why the hack attack is so dangerous:It can bypass existing clickjacking protections.It can impact more than just websites alone, with crypto wallets and smartphone attacks possible.Its an entirely new attack surface for hackers to exploit.All websites are, by default, vulnerable to this hack attack.It only requires the target to double-click, nothing else.Exploiting The Double Clickjacking Hack TechniqueIn the blog posting detailing the double clickjacking hack methodology, Yibelo provides two examples of how the technique can be exploited by attackers. The first is by way of OAuth and API permissions. Open authorization enables an application, or a website, to access resources hosted on a different site and related to a different user. OAuth is the industry standard secure way of doing this. Until it isnt. Attackers could trick targets into authorizing a malicious application with extensive privileges, Yibelo warned, this technique has unfortunately led to account takeovers in almost every site that supports OAuth - which is pretty much all major websites with an application programming interface support. Secondly, Yibelo said, there are the one-click account change attacks that are similar to clickjacking in that double clickjacking can be used to make the user click on account-setting changes, such as disabling security settings, deleting an account, authorizing access or money transfers, or confirming transactions, etc.DoubleClickjacking is a sleight of hand around on a well-known attack class, Yibelo said, by exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye. This means that developers and security teams need to tighten their control over embedded or opener-based windows and be more vigilant about such things as multi-click patterns.Evolution Of Hack Attacks Create Additional Challenges For DefendersTotally unsurprisingly, reports of this double-clickjacking hack attack exploit have created great concern among users and cybersecurity professionals alike. The marginal decreases in ransomware and malware over the past year, Spencer Starkey, an executive vice president at content control and network security vendor SonicWall, said, should not fool people, hackers have just changed their tactics. There is no doubt that cyber attacks are constantly evolving, the proof is there in front of you in both articles that I write here at Forbes.com and the exploits that so many fall victim to. Due to the speed at which new attacks are being created, they are more adaptive and difficult to detect, Starkey said, which poses an additional challenge for cybersecurity professionals. From the high-level business perspective, this means looking to monitor their networks for suspicious activity constantly. The sooner teams can flag a potential issue, Starkey concluded, the lower the risk of an attack.When it comes to attack mitigation, Yibelo said, Ive reported this issue to some sites, the results have been mixed. Most have chosen to address it while some have chosen not to. As for end users, the advice for now has to be dont click twice if you want to be sure not to fall victim to this new hack attack until in-browser mitigations are available.