Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
IT pros and Bob Dylan fans take heed: Don’t click twice, it’s not alright!
As threat actors increasingly use fake CAPTCHAs, tutorials, and updates to get targets to hack themselves, a researcher published a way for end-users to potentially double-click their way into some trouble.
The technique—what application-security pro (and Amazon security engineer) Paulos Yibelo calls “doubleclickjacking”—offers a sleight-of-hand ruse: Attackers load a seemingly legitimate window (“verify you’re a human,” for example, by performing a doubleclick). One click minimizes a window. With Yibelo’s code, the theoretical threat actor can then get a malicious site and button to swoop in, undetected, under the second click.
“By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye,” Yibelo wrote in the conclusion of his December post.
You don’t know clickjack. Regular ol’ clickjacking involved an inline frame, or iframe, which allowed an additional HTML page to load atop a website. The secondary iframe element could be coded to line up precisely so that a user might click on something malicious when meaning to click on a normal site button. Browser protections have since been made to not allow sites to load within an iframe.
Yibelo’s revealed code does not use iframe elements and uses a window-opening command appropriately titled window.open: Click #1 leads to the top window closing, and a secondary window appearing. Click #2 hits a button from the second window; that button could be a nasty one authorizing a malicious application with extensive privileges. (See one demonstration here from SquareX.)
HIY there! Scam-yourself tactics are on the rise, as reported last year by IT Brew. In Q3 2024 alone, security company Gen claims it stopped 2.1 million fake-CAPTCHA attacks.
In an exchange of messages on LinkedIn, Yibelo said he came up with the CAPTCHA idea, considering how CAPTCHAs are “getting weirder and weirder by the day” as bots evolve to beat them.
The fix is in. Yibelo shared defensive JavaScript code, which disables critical buttons until a gesture (a movement of the mouse or keyboard click, for example) is detected.
The researcher also recommended, in his December post, that browsers use a hypothetical metadata known as a header to “limit or block rapid context-switching between windows during a double-click sequence.”
“This technique seemingly affects almost every website, leading to account takeovers on many major platforms,” Yibelo wrote.