Security
16 min read
54 views

DoubleClickjacking: Modern UI Redressing Attacks Explained

IT
InstaTunnel Team
Published by our engineering team
DoubleClickjacking: Modern UI Redressing Attacks Explained

Clickjacking 2.0: UI Redressing in Modern Single-Page Applications 🪟

Introduction: The Evolution of an Old Threat

Clickjacking, also known as UI redressing, has been a persistent web security threat since its discovery in 2008. However, what many security professionals don’t realize is that this attack vector has evolved dramatically in 2024 and 2025, with new variants that bypass traditional defenses and target modern web applications in ways that were previously impossible.

Following urgent warnings issued for hundreds of millions of Chrome, Edge, and Safari users in 2025, security researchers have documented a concerning uptick in clickjacking and related attacks. These aren’t your traditional iframe-based attacks—they’re sophisticated exploits that work even with frame-busting scripts, Content Security Policy (CSP) headers, and SameSite cookies.

In this comprehensive guide, we’ll explore the cutting-edge techniques attackers are using today, from double-click exploitation to drag-and-drop file theft, and how single-page applications (SPAs) have created new attack surfaces that most developers aren’t prepared to defend against.

Understanding Classic Clickjacking: The Foundation

Before diving into advanced techniques, it’s essential to understand the basics. Clickjacking occurs when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

The attack works through a simple but effective mechanism:

  1. The Setup: An attacker creates a malicious webpage with enticing content (free prizes, game, video)
  2. The Overlay: A legitimate website is loaded in an invisible iframe positioned precisely over the attacker’s content
  3. The Deception: Users think they’re clicking on the visible content but are actually clicking on the hidden legitimate site
  4. The Exploit: Actions like fund transfers, account changes, or OAuth authorizations occur without the user’s knowledge

One notorious example was an attack against the Adobe Flash plugin settings page, where attackers could trick users into altering security settings to give permission for Flash animations to utilize the computer’s microphone and camera.

The Single-Page Application Problem

Single-page applications built with React, Angular, Vue, and similar frameworks have revolutionized web development, but they’ve also created unique security challenges that make clickjacking attacks more dangerous than ever.

Why SPAs Are More Vulnerable

The client-side rendering frequently implemented in SPAs can make them vulnerable to unauthorized access and data manipulation, including routing manipulation, hidden element exposure, and JavaScript debugging vulnerabilities.

Unlike traditional multi-page applications, SPAs:

  • Load all JavaScript upfront, including routes and components that users may not be authorized to access
  • Handle authentication client-side, creating a window where unauthorized content is briefly visible
  • Rely heavily on API interactions, which can be intercepted and manipulated
  • Store sensitive logic in the browser, making it accessible to attackers

Because SPAs rely entirely on the client’s browser to render content using API data, users have significant control over the application, making user or role impersonation easier.

The Client-Side Rendering Gap

When a SPA loads, there’s a critical vulnerability window. The initially returned HTML document does not contain any content, and once the JavaScript files have been run in the browser, the application’s frontend user interface and content is loaded at runtime. During this pause, attackers can exploit the application’s routing system and access unauthorized pages before authentication checks complete.

DoubleClickjacking: Bypassing All Known Protections

In December 2024, security researcher Paulos Yibelo disclosed one of the most significant clickjacking variants discovered in years: DoubleClickjacking. This technique has fundamentally changed the clickjacking landscape.

How DoubleClickjacking Works

DoubleClickjacking is a new variation that takes advantage of a double-click sequence rather than relying on a single click, opening the door to new UI manipulation attacks that bypass all known clickjacking protections, including X-Frame-Options header, CSP’s frame-ancestors, and SameSite: Lax/Strict cookies.

The attack follows a sophisticated sequence:

  1. Initial Lure: User visits an attacker-controlled site that opens a new window with seemingly innocuous content (like a CAPTCHA verification)
  2. Double-Click Prompt: The new window prompts the user to double-click to proceed
  3. Mid-Click Redirect: As the double-click occurs, the parent site uses JavaScript Window Location object to redirect to a malicious page
  4. Window Closure: The top window closes during the second click, causing the user to unknowingly click on the redirected page (e.g., approving an OAuth application)

By exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.

Why Traditional Defenses Fail

Most webapps and frameworks assume that only a single forced click is a risk. DoubleClickjacking adds a layer many defenses were never designed to handle—methods like X-Frame-Options, SameSite cookies, or CSP cannot defend against this attack.

The reason is simple: traditional clickjacking is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default, meaning even if an attacker site can frame another website, the framed site would be unauthenticated because cross-site cookies are not sent. DoubleClickjacking doesn’t rely on iframes at all—the attack happens directly on the legitimate site.

Real-World Impact

Yibelo demonstrated that this attack impacts almost all sites, sharing demonstration videos using DoubleClickjacking to take over Shopify, Slack, and Salesforce accounts. The technique isn’t limited to websites either—it can be used to attack browser extensions, with proof of concepts created for top browser crypto wallets that use this technique to authorize web3 transactions and dApps or disable VPNs to expose IP addresses.

DOM-Based Extension Clickjacking: Your Password Manager Is Vulnerable

In August 2025, another groundbreaking clickjacking variant was disclosed that targets browser extensions—specifically password managers used by millions globally.

The Extension Vulnerability

Independent security researcher Marek Tóth discovered that popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, are susceptible to DOM-based extension clickjacking, with these extensions having millions of users collectively.

The technique involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM—for example, auto-fill prompts—by making them invisible by setting their opacity to zero.

How the Attack Works

The exploitation is disturbingly simple:

  1. Fake Site Creation: Attacker creates a website with an intrusive pop-up (login screen or cookie consent banner)
  2. Invisible Form Embedding: An invisible login form is embedded such that clicking to close the pop-up triggers the form
  3. Auto-Fill Exploitation: Clicking on the site to close the pop-up causes credential information to be auto-filled by the password manager and exfiltrated to a remote server

Scope of the Problem

The research findings were alarming:

  • All 11 tested password managers were initially vulnerable to DOM-based Extension Clickjacking in the default configuration, with approximately 40 million active installations at risk
  • Six out of nine password managers were vulnerable to credit card detail extraction, while eight out of ten could be exploited to exfiltrate stored personal information
  • Ten out of eleven password managers were susceptible to credential theft, including Time-based One-Time Password (TOTP) codes used for two-factor authentication

All password managers filled credentials not only to the ‘main’ domain but also to all subdomains, meaning an attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click, including TOTP.

Current Status

As of August 2025, the vulnerability landscape looks like this:

Patched: Dashlane, Keeper, NordPass, ProtonPass, RoboForm

Still Vulnerable: 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, LogMeOnce—representing approximately 32.7 million active installations.

Drag-and-Drop Attacks: File Theft from Your Local Machine

One of the most insidious clickjacking variants exploits the drag-and-drop functionality built into modern browsers. This technique can steal files directly from your computer.

The Drag-and-Drop Mechanism

Security expert Paul Stone demonstrated that rather than getting victims to click on specific locations, attackers can get users to drag objects or text from visible windows into an invisible iframe.

The attack leverages the drag-and-drop API provided by modern browsers:

  • Internet Explorer, Firefox, Chrome, and Safari all support this functionality
  • Attackers don’t need the user to click—just drag
  • Stone can enter text into forms or read documents opened in the victim’s browser or the page source using these techniques

Cookiejacking and File Exfiltration

In cookiejacking attacks, the user is led to interact with a UI element via drag and drop to provide the attacker with cookies stored on their browser, potentially allowing the attacker to perform actions on the target website on behalf of the user.

In a drag-and-drop clickjacking attack, users might think they’re dragging a file like a PDF of their bank statement or any other file with sensitive data to upload it to their trustable website. However, because of the invisible layer, they’re actually dragging and dropping their file into a hidden area set up by the attacker.

Enhanced Capabilities with Java

The attack becomes even more sophisticated when combined with Java:

Java’s drag and drop API is more powerful than the browser’s, allowing attackers to dispense with marking text by dragging and instead requiring just a single click. By combining the attack with JavaScript, it’s possible to issue the drag command whenever desired—even when the cursor is not over the Java applet or when the user is not holding down the left mouse button.

Advanced Clickjacking Techniques in Practice

Multi-Step Clickjacking

Some browsers allow dragging and dropping content into a framed website, thus making it possible to submit text via Clickjacking, meaning Clickjacking now has the full power of CSRF, making it possible to exploit self-XSS vulnerabilities or submit arbitrary content as the targeted user.

Firefox is particularly vulnerable to this technique, allowing text to be dragged into frames (though not out of them). This means attackers can:

  • Exploit self-XSS vulnerabilities that typically require user input
  • Add new admin users if the victim has sufficient privileges
  • Submit arbitrary form data across multiple fields
  • Chain together multiple actions in a single attack sequence

Cursorjacking

Cursorjacking is a UI redressing technique that changes the cursor for the position the user perceives to another position, though it relies on vulnerabilities in Flash and the Firefox browser which have now been fixed.

While the original vulnerabilities have been patched, the concept remains relevant as new cursor manipulation techniques continue to emerge.

Frame-Busting Bypass Techniques

Even when websites implement frame-busting JavaScript to prevent being loaded in iframes, attackers have developed bypass methods:

Sandbox Attribute Bypass: Using the HTML5 sandbox attribute with specific permissions can neutralize frame-busting scripts:

<iframe sandbox="allow-forms allow-scripts" 
        src="https://victim-site.com/protected-page">
</iframe>

The sandbox attribute without allow-top-navigation prevents the frame-busting script from breaking out of the iframe, effectively neutralizing the protection.

Double Iframe Technique: Nesting iframes can confuse frame-busting logic:

<iframe src="attacker-page-with-nested-iframe.html"></iframe>
<!-- Inside attacker-page-with-nested-iframe.html -->
<iframe src="https://victim-site.com/protected-page"></iframe>

Real-World Attack Scenarios

Scenario 1: OAuth Application Hijacking

With DoubleClickjacking, an attacker can:

  1. Create a page promising exclusive content
  2. Prompt users to solve a “CAPTCHA” with a double-click
  3. During the second click, redirect to an OAuth authorization page
  4. User unknowingly authorizes a malicious application to access their accounts

This enables one-click account changes, similar to classic clickjacking, allowing attackers to make users click on account-setting changes such as disabling security settings, deleting an account, authorizing access, money transfers, or confirming transactions.

Scenario 2: SPA Route Manipulation

In a modern SPA environment:

  1. Attacker identifies unauthorized routes in the application’s JavaScript
  2. Creates a clickjacking overlay targeting these routes
  3. During the authentication check delay, tricks users into interacting with protected content
  4. Exploits race conditions between user actions and authentication validation

Scenario 3: Password Manager Credential Theft

The DOM-based extension attack enables:

  1. Attacker creates a legitimate-looking website with a cookie banner
  2. Embeds invisible login form with subdomain vulnerability
  3. User clicks to dismiss banner
  4. Password manager auto-fills credentials into invisible form
  5. JavaScript immediately exfiltrates credentials, TOTP codes, and credit card details to attacker’s server

Scenario 4: Local File Exfiltration

Through drag-and-drop exploitation:

  1. User believes they’re dragging a scrollbar or resizing a window
  2. Actually dragging sensitive document from their desktop
  3. File drops into attacker’s hidden iframe
  4. Document immediately uploaded to attacker’s server

Defense Strategies: Protecting Against Modern Clickjacking

Server-Side Headers: The First Line of Defense

Content Security Policy (CSP) frame-ancestors:

Content-Security-Policy: frame-ancestors 'none';

This is the modern replacement for X-Frame-Options and provides more granular control.

X-Frame-Options (for legacy browser support):

X-Frame-Options: DENY

There are three main ways to prevent clickjacking: sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains; using the older X-Frame-Options HTTP headers for graceful degradation and older browser compatibility; and properly setting authentication cookies with SameSite=Strict (or Lax).

SameSite Cookies

Set-Cookie: sessionid=abc123; SameSite=Strict; Secure; HttpOnly

While this doesn’t protect against DoubleClickjacking, it remains essential for traditional clickjacking defense.

Defending Against DoubleClickjacking

To protect against DoubleClickjacking, Yibelo shared a JavaScript that can be added to web pages to disable sensitive buttons until a gesture is made, preventing double-clicking from automatically clicking the authorization button when removing the attacker’s overlay.

Example protection script:

let lastInteraction = 0;
const GESTURE_DELAY = 1000; // 1 second

document.querySelectorAll('.sensitive-button').forEach(button => {
    button.addEventListener('mousedown', (e) => {
        const now = Date.now();
        if (now - lastInteraction < GESTURE_DELAY) {
            e.preventDefault();
            return false;
        }
        lastInteraction = now;
    });
});

Experts suggest a potential HTTP header that restricts or blocks rapid context switching between windows during a double-click sequence.

Password Manager Protection

For users:

Disable autofill suggestion injected into the DOM—some password managers allow using “autofill” only via the extension icon rather than UI injected into webpages. Examples of supported ones include Bitwarden or 1Password, though it’s necessary to disable autofill suggestion injected into the DOM when using this option.

For developers:

  • Implement rate limiting on authentication endpoints
  • Use behavioral analysis to detect automated credential stuffing
  • Require explicit user confirmation for sensitive operations

SPA-Specific Protections

By implementing robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigated. Using server-side rendering within the SPA can prevent unauthorized users from modifying or even viewing pages and data they are not authorized to see.

Additional SPA defenses:

  1. Server-side route protection: Never rely solely on client-side routing guards
  2. API-level authorization: Validate permissions on every API request
  3. Lazy loading: Don’t bundle unauthorized routes in the initial JavaScript payload
  4. Authentication gates: Use skeleton screens instead of rendering content during auth checks

Frame-Busting JavaScript (Legacy Support)

For older browsers that don’t support CSP or X-Frame-Options:

if (window.self !== window.top) {
    window.top.location = window.self.location;
}

However, be aware this can be bypassed using the sandbox attribute.

User Education and Awareness

Technical defenses must be complemented with user awareness:

  • Be suspicious of double-click requirements on unusual sites
  • Verify browser address bars before authorizing sensitive actions
  • Disable password manager auto-fill on unfamiliar websites
  • Be cautious with drag-and-drop operations on untrusted sites
  • Use browser extensions that warn about suspicious framing attempts

Testing Your Applications

Automated Testing

Security scanners can help identify clickjacking vulnerabilities:

  • OWASP ZAP: Includes clickjacking detection in active scanning
  • Burp Suite: Professional edition includes clickjacking checks
  • Nuclei: Open-source tool with clickjacking templates

Manual Testing

One method to test site vulnerability to clickjacking is to code a specific page of HTML and use it to try to embed a sensitive page of your site in an iframe.

Example test page:

<!DOCTYPE html>
<html>
<head>
    <title>Clickjacking Test</title>
    <style>
        iframe {
            width: 800px;
            height: 600px;
            opacity: 0.5; /* Make visible for testing */
            position: absolute;
            top: 0;
            left: 0;
            z-index: 2;
        }
        button {
            position: absolute;
            top: 100px;
            left: 100px;
            z-index: 1;
        }
    </style>
</head>
<body>
    <button>Test Click</button>
    <iframe src="https://your-site.com/sensitive-page"></iframe>
</body>
</html>

If your sensitive page loads in the iframe, you have a clickjacking vulnerability.

DoubleClickjacking Testing

Test your application’s response to rapid window switching:

  1. Open your application in one window
  2. Create a script that rapidly opens/closes overlaying windows
  3. Attempt to interact with sensitive functions during the switching
  4. Verify that actions are not executed without proper user intent

The Future of Clickjacking Defense

Browser-Level Protections Needed

In the long run, browsers should adopt new standards to defend against double-click exploitation—similar to how X-Frame-Options or frame-ancestors protect against classic iframe-based clickjacking. When clickjacking was first discovered in 2008, the initial mitigation was also JavaScript until browsers provided a simpler method to mitigate the vulnerability class.

Proposed solutions include:

  • Timing-based headers: Restrict rapid context switching during multi-click sequences
  • Gesture validation: Require complete user gestures before executing sensitive actions
  • Enhanced CSP: Expand Content Security Policy to cover timing-based attacks
  • Extension sandboxing: Better isolation for browser extension DOM manipulation

Application Framework Improvements

Modern frameworks like React, Angular, and Vue need built-in protections:

  • Default frame-ancestors policies in development mode
  • Automatic detection of unauthorized route access
  • Built-in double-click protection for sensitive components
  • Warning systems for suspicious user interaction patterns

Zero-Trust UI Interactions

The future of web security may require treating all user interactions as potentially malicious:

  • Require explicit confirmation for state-changing operations
  • Implement multi-factor authentication for sensitive actions
  • Use behavioral biometrics to detect automated or manipulated interactions
  • Deploy AI-powered anomaly detection for unusual click patterns

Conclusion: Staying Ahead of Evolving Threats

Clickjacking in 2025 is not the simple iframe overlay attack of 2008. DoubleClickjacking seemingly affects almost every website, leading to account takeovers on many major platforms, and all websites by default (those that didn’t fix this yet) are vulnerable to this with many surprising impacts including OAuth takeovers.

The convergence of single-page applications, browser extensions, and sophisticated timing-based exploits has created a perfect storm of clickjacking vulnerabilities that bypass traditional defenses. Organizations must:

  1. Audit immediately: Test all web applications for clickjacking vulnerabilities
  2. Implement defense-in-depth: Use multiple layers of protection
  3. Stay informed: Monitor security disclosures for new clickjacking variants
  4. Educate users: Train employees and customers to recognize suspicious interactions
  5. Plan for the future: Prepare for browser-level protections and framework updates

The old defenses—X-Frame-Options headers and frame-busting scripts—are no longer sufficient. Modern applications require modern defenses that account for double-click exploitation, DOM manipulation, drag-and-drop attacks, and the unique vulnerabilities introduced by single-page applications.

As attackers continue to innovate, security professionals must remain vigilant, adopting new defensive techniques as they emerge and pushing for industry-wide standards that make clickjacking attacks obsolete. The battle against UI redressing is far from over, but with proper awareness and implementation of comprehensive defenses, we can protect users from these invisible threats lurking behind every click.

Key Takeaways

  • Traditional clickjacking defenses like X-Frame-Options are insufficient against modern variants
  • DoubleClickjacking bypasses all known protections including CSP and SameSite cookies
  • Password manager extensions are vulnerable to DOM-based clickjacking affecting millions of users
  • Single-page applications create new attack surfaces through client-side rendering and routing
  • Drag-and-drop attacks can steal files directly from users’ local machines
  • Defense requires multiple layers: server headers, JavaScript protections, and user education
  • Browser-level standards are needed to combat timing-based exploitation techniques
  • Organizations must test and update defenses continuously as new variants emerge

The evolution of clickjacking demonstrates that no security measure is permanent. What worked yesterday may be obsolete today, and tomorrow’s threats are already being developed. Stay vigilant, stay informed, and stay protected.

Related Topics

#clickjacking, UI redressing, clickjacking attack, modern clickjacking, clickjacking 2.0, single page application security, SPA security vulnerabilities, DoubleClickjacking, double click exploit, frame busting bypass, X-Frame-Options bypass, CSP bypass, Content Security Policy vulnerabilities, drag and drop attack, file theft attack, cookiejacking, DOM-based clickjacking, browser extension vulnerabilities, password manager vulnerabilities, 1Password vulnerability, Bitwarden vulnerability, LastPass security, iCloud Passwords vulnerability, web application security, OWASP clickjacking, iframe attack, overlay attack, UI manipulation, cursor jacking, multi-step clickjacking, OAuth hijacking, account takeover attack, React security, Angular security, Vue security, client-side rendering vulnerabilities, SPA routing vulnerabilities, browser security 2025, web security threats, advanced clickjacking techniques, clickjacking defense, clickjacking prevention, frame-ancestors directive, SameSite cookies, authentication bypass, credential theft, auto-fill exploit, drag-and-drop vulnerability, sandbox attribute exploit, double iframe attack, CSRF clickjacking, self-XSS exploitation, gesture-based attacks, timing-based attacks, zero-trust UI, behavioral biometrics, web security testing, penetration testing, security headers, HTTP security headers, modern web vulnerabilities, browser extension security, Chrome security, Firefox security, Safari security, Edge security, web framework security, API security, authentication security, session hijacking, cross-site attacks, user interaction attacks, invisible iframe, transparent overlay, UI spoofing, social engineering attack, phishing attack, web exploitation, vulnerability disclosure, security patch, CVE clickjacking, bug bounty, ethical hacking, cybersecurity 2025, application security, AppSec, OWASP Top 10, web pentesting, security best practices, defense in depth, security architecture, threat modeling, attack surface, vulnerability assessment, security awareness, user education security, secure coding practices, JavaScript security, HTML5 security, CSS security, browser API security, window manipulation, DOM manipulation, event handling security, click tracking, user gesture validation, anti-clickjacking, clickjacking mitigation, security controls, preventive security, detective security

Share this article

Share on XShare on LinkedIn

More InstaTunnel Insights

Discover more tutorials, tips, and updates to help you build better with localhost tunneling.

Browse All Articles