New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Information:

Clickjacking, also called UI redressing, refers to an attack technique in which users are tricked into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data.

Incident:

A new attack technique called "DoubleClickjacking" has been discovered, capable of bypassing existing Clickjacking protections implemented by major websites.

DoubleClickjacking is a variation of Clickjacking theme that exploits the gap between the start of a click and the end of the second click to bypass security controls and takeover accounts with minimal interaction.

How DoubleClickjacking Works:

1.The user visits a website controlled by attackers, which may open a new window or tab without requiring interaction or after the user clicks a button.

2.The new window appears harmless, displaying something like a CAPTCHA verification, and asks the user to double-click to proceed.

3.While the user is double-clicking, the main website leverages JavaScript's Window Location object to redirect the user to a malicious page, such as approving a malicious OAuth application.

4.Simultaneously, the top window is closed, leaving the user unaware that they have unintentionally granted access by confirming permissions on the main website.

Recommendation:

- Website owners should implement client-side methods that disable critical buttons by default until user interactions like mouse movement or keyboard input are detected.

- Stay updated with browser vendors on new standards designed to prevent such attacks.

Users should exercise caution when double-clicking on unfamiliar websites and verify that the websites they visit have appropriate security measures in place.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References:

-https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2023-7028	12/1/2024	20/12/2023	GitLab CE/EE	Unauthorized Access	10	An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.	Upgrade to 16.1.6 or above Upgrade to 16.2.9 or above Upgrade to 16.3.7 or above Upgrade to 16.4.5 or above Upgrade to 16.5.6 or above Upgrade to 16.6.4 or above Upgrade to 16.7.2or above	https://app.opencve.io/cve/CVE-2023-7028
2	CVE-2024-21756	1/8/2024	23/12/2024	JetBrains TeamCity before versions 2024.12	fortinet	8.6	A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSandbox version 4.4.0 through 4.4.3 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted requests..	Upgrade to 4.4.4 or above Upgrade to 4.2.7 or above Upgrade to 4.0.5 or above	https://app.opencve.io/cve/CVE-2024-21756
3	CVE-2022-43842	02/23/2024	31/12/2024	Ibm, Linux, Microsoft	SQL injection	8.6	IBM Aspera Console 3.4.0 through 3.4.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 239079.	Upgrade	https://app.opencve.io/cve/CVE-2022-43842
4	CVE-2024-0113	9/6/2024	26/12/2024	NVIDIA Mellanox OS All versions prior to and including 3.11.4000 ONYX All versions prior to and including 3.10.4400 Skyway All versions prior to and including 8.2.2200 MetroX All versions prior to and including 18.2.2200	CGI path traversal	7.5	NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure.	NVIDIA Mellanox OS Updated Version 3.12.1002 ONYX Updated Version 3.10.4504 Skyway Updated Version 8.2.2300 MetroX Updated Version 18.2.2300	https://app.opencve.io/cve/CVE-2024-0113
5	CVE-2024-8509	6/9/2024	27/12/2024	Redhat Migration Toolkit for Virtualization 2 x86_64 Migration Toolkit for Virtualization 1 x86_64	Empty bearer token may perform authentication	7.5	A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.	Update Migration Toolkit for Virtualization 2.6	https://app.opencve.io/cve/CVE-2024-8509

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	Malicious Rspack, Vant packages published using stolen NPM tokens	20/12/2024	Cryptocurrency, Information-Steal, Supply chain attack	Researchers from Sonatype and Socket detected cryptocurrency mining activities using XMRig, originating from npm packages associated with the Rspack system. Upon further investigation, malicious code was found embedded in the @rspack/core package under the file support.js and the @rspack/cli package under the file config.js. These files functioned to communicate with C2 servers and external servers while secretly mining cryptocurrency, leading to increased CPU usage. Additionally, a script was installed at the path location /tmp/vant_helper. Moreover, the npm packages were exploited to steal access tokens or other credentials. The researchers discovered that these packages had already been downloaded over 400,000 times. Following this discovery, developers released patches to disable the versions containing the embedded malicious code.	1.Keep software Rspack and Vant to latest version 2.Deploy endpoint protection and network monitoring to detect exploitation attempts.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

Malicious Rspack, Vant packages published using stolen NPM tokens

20/12/2024

Cryptocurrency, Information-Steal,

Supply chain attack

Researchers from Sonatype and Socket detected cryptocurrency mining activities using XMRig, originating from npm packages associated with the Rspack system. Upon further investigation, malicious code was found embedded in the @rspack/core package under the file support.js and the @rspack/cli package under the file config.js. These files functioned to communicate with C2 servers and external servers while secretly mining cryptocurrency, leading to increased CPU usage. Additionally, a script was installed at the path location /tmp/vant_helper.

Moreover, the npm packages were exploited to steal access tokens or other credentials. The researchers discovered that these packages had already been downloaded over 400,000 times. Following this discovery, developers released patches to disable the versions containing the embedded malicious code.

1.Keep software Rspack and Vant to latest version

2.Deploy endpoint protection and network monitoring to detect exploitation attempts.

Ref: https://www.bleepingcomputer.com/news/security/malicious-rspack-vant-packages-published-using-stolen-npm-tokens/

13 January 2025

Viewed 51 time

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

INET MANAGED SERVICES CO., LTD.

Sales Department