Lots of people suggesting that double click here means to click the mouse twice quickly but I believe it refers to clicking submit (once), then clicking the pop up button (once), to get two total clicks.
This is clever, and I got a good laugh out of their example video. The demo UI of "Double click here" isn't very convincing - I bet there's a version of this that gets people to double click consistently though.
Like in reCAPTCHA (v2 at least) where it asks users to click on tiles to identify common objects like bridges or motorcycles. Surely one could conjure up a fake version of this.
The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).
Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.
I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.
Back in the day, this trick was used for clickjacking Digg upvotes.
Hmm. I guess it is never impossible that there’s a version of something that will trick people consistently. But, I’m kinda struggling to recall a time I’ve needed to double click on a website.
Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.
Telling people to double click is, I think, mostly dead.
My mother constantly struggles between when to double click or not after decades of using computers. This is probably an issue that will die out with her generation, though.
Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.
> Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks.
Speaking of things dying out, it's been so long since I used anything but a trackpad that I thought at first this was some strange claim about rodents!
It doesn’t need to be a literal double click. It could be something like a CAPTCHA “confirm you’re human,” where you click once, it appears to load, and then you click a confirm button. Do it fast enough and it might appear like a double click.
- I attempt to hit "pause" while I go handle a thing or two [0]
- As I'm about to click "pause", the layout shifts to the left exactly enough for me to unmute the ad
- I immediately click again to stop listening to whatever scam is currently being peddled
[0] For some videos I like to read the description before watching. For all videos I like to make it as obvious as possible to Google that there isn't a real person watching the ad (browser not focused, ad muted, ...).
Google drive and similar sites use double click for folders to open similar to a regular OS would. Single click tends to show some metadata where the double click does the actual navigation.
Back in 2013 I discovered that you could use clickjacking to trick someone into buying anything you wanted from Amazon (assuming they were signed in). It took them almost a year to fix the issue. They never paid me a bounty.
Bug bounties are kind of a joke. they will invent almost any reason to not pay. it has to be something where the site is malfunctioning, not CSS tricks, which has to do with the browser , not the vendor. Clickjacking can work on any site, not just Amazon.
I'm a little skeptical that this is a real exploit.
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
It's also not a novel threat model. For example prior art, the browser confirmation dialogs in Firefox at least don't enable their buttons until the window has had focus for 500ms or so. Possibly to avoid inadvertently unintentionally clicking "run" on a recently downloaded item, but it solves for this too and I wouldn't be shocked if this was on their mind too.
If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:
> This technique seemingly affects almost every website
Agreed, but I think this was a workaround for early web apps that existed in the primitive days. You'd need two webpages of the same site open to complete some task, but the apps weren't sophisticated enough to do that within a single window/tab. Once they did it back then, now too many web apps and workflows would suffer if they just killed that functionality entirely, too many users would scream.
Bit off topic, but what's the reasoning behind messing with the native browser scroll here. Almost gets me motion sick when scrolling through this article.
My hypothesis on this is that marketers who have personal MacBooks but are forced to use Windows computers at work, with mice with notched scroll wheels, find JS-driven smooth scrolling to be superior to the native snapping experience they see at work on many websites. But it wreaks havoc on people who already have computers with native high-resolution trackpads. Alas, the folks at big companies care more about their at-work than at-home experience, and it's been cargo-culted to smaller companies now as well. The conversation "detect if there is indeed a trackpad being used" never even comes up.
I couldn't even begin to count how many bug reports I've seen over the years that start with "when I accidentally double-click foo, bar happens". It might not be an intentional usage pattern, sure, but that doesn't mean it doesn't happen a lot.
Yeah, I have no data beyond anecdotal to back this up, but I witness A LOT of people double-clicking everything, regardless of what it is. I assume it's because they only got so far in "computer" as to learn "click + drag to move, double-click to open a program or file". Link on a web page? I want to open that!
Google Drive uses it as an interaction pattern. I find that baffling, but while uncommon, it's not totally absent. And as others have pointed out, many users carry over their expectation of having to double-click from desktop interfaces.
Web browsers and the applications on them have become extremely memory hungry. Memory management pauses are common and people click multiple times irately.
Another complicating factor that many less-tech-literate don't have a good internal model for is window focus. I've seen several people try and single-click on a not focused web button, only for nothing to happen. When they click again, the button is activated. They then learn to always double click that button.
Having a mental model of "this button needs to be double clicked" gets them the result they want, even if that's not a very accurate reflection of the computer.
In theory: if you’re clicking on a UI element that has some notion of being selected, then a single-click selects it, and you need a double-click to take an action on it. If there’s no notion of selection, then a single click takes an action.
In practice: adherence to this ranges from perfect to abysmal. And users who don’t understand the computer well may not know how to think about whether a given UI element is selectable or not.
When you're on windows and not in the browser, you double-click to launch a file or program in the Explorer (which also is what runs the desktop). Single-click is select.
So, the rule:
List of files on your computer or desktop? Double-click. Otherwise? Don't.
What if I’m opening an email in Outlook? What if I’m looking at something in Control Panel? (That one’s a trick question, since the answer has changed in modern Windows versions.)
Although seriously, I find I never break out of the preview in Outlook email. The only spot in Outlook where I really need to double-click is the calendar. Which is annoying.
I've had a few worn mouses register double clicks upon a single click. It happens inhumanly fast and users won't realize it until using an app that reacts to double clicks.
Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.
I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.
Back in the day, this trick was used for clickjacking Digg upvotes.
Actually the double-click action is pretty rare nowadays, right? In particular, I use it a lot to select a word in a terminal, but most of the time when I am getting UI instructions it is from a website about how to use the website itself, and since that’s a website it has to be abstract enough to also make sense for mobile users.
Telling people to double click is, I think, mostly dead.
Entirely separate, a common failure mode of dying mice is that they start generating spurious clicks. I've had a couple of logitechs do this to me. And the thing about scams is you can often legit make money off of very low success rates.
Speaking of things dying out, it's been so long since I used anything but a trackpad that I thought at first this was some strange claim about rodents!
Not sure this would work with the exploit though.
- The page mostly loads
- An ad starts playing
- I attempt to hit "pause" while I go handle a thing or two [0]
- As I'm about to click "pause", the layout shifts to the left exactly enough for me to unmute the ad
- I immediately click again to stop listening to whatever scam is currently being peddled
[0] For some videos I like to read the description before watching. For all videos I like to make it as obvious as possible to Google that there isn't a real person watching the ad (browser not focused, ad muted, ...).
it pisses me off
https://onlineaspect.com/2014/06/06/clickjacking-amazon-com/
So I'd try adding a small timeout when the tab is visible:
Related XKCD: https://www.explainxkcd.com/wiki/index.php/2415:_Allow_Captc...
When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.
I also don't understand when the popup is shown, and what the element is when the popup is closed.
Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate
If I were running some site where pressing a button does some kind of auth that I really want a user to read, that seems like a reasonable mitigation compared to the hyperbole found in the article:
> This technique seemingly affects almost every website
// SmoothScroll for websites v1.2.1
CAPTCHA:
Please copy `qwertyuiopasdfhkl`
Into here `<textbox>`
Edit: Quick (ai mockup) concept... https://imgur.com/mc0IdEA Obviously it would be most effective with a longer string though.
Edit: Actually that's generally I guess triple click. Double to select a word.
Having a mental model of "this button needs to be double clicked" gets them the result they want, even if that's not a very accurate reflection of the computer.
In practice: adherence to this ranges from perfect to abysmal. And users who don’t understand the computer well may not know how to think about whether a given UI element is selectable or not.
So, the rule:
List of files on your computer or desktop? Double-click. Otherwise? Don't.
Although seriously, I find I never break out of the preview in Outlook email. The only spot in Outlook where I really need to double-click is the calendar. Which is annoying.
You've never had a slow internet connection have you? I've seen double clicking from all users in the office. Comes from frustration.
How many times have you tried to open an application; for it not open? So you click the icon again only for two windows to split open?
Young, old, even techs. It's not as uncommon as you think.