DoubleClickjacking: How A New Cyberattack Targets User Interactions - 1

Image by Kelly Sikkema, from Unsplash

DoubleClickjacking: How A New Cyberattack Targets User Interactions

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Cybersecurity expert Pablos Yibelo has announced today DoubleClickjacking, a web attack leveraging double-click timing to deceive users into executing sensitive actions on websites.

In a Rush? Here are the Quick Facts!

  • DoubleClickjacking exploits the timing gap between two clicks in a double-click sequence.
  • It enables unauthorized actions, including account takeovers and permission grants on OAuth platforms.
  • Browser extensions and mobile apps are also vulnerable to DoubleClickjacking attacks.

Pablos Yibelo explains that the DoubleClickjacking technique expands on the well-known “ clickjacking ” technique. This attack manipulates user interface interactions to bypass protections such as X-Frame-Options headers and SameSite cookies, potentially affecting a wide range of websites.

Yibelo explains that DoubleClickjacking works by exploiting the timing between two clicks in a double-click sequence. The attack typically begins with a user interacting with a webpage that opens a new window or displays a prompt.

The first click closes the newly opened window, revealing a sensitive action page—such as an OAuth authorization screen—in the original browser window. The second click then unintentionally authorizes a malicious action or grants access to unauthorized applications.

This method leverages the brief delay between “mousedown” and “click” events, bypassing traditional security measures. Its impact is substantial, enabling attackers to perform actions such as gaining access to accounts, altering settings, or conducting unauthorized transactions, says Yibelo.

Many platforms using OAuth for authentication are particularly vulnerable, as attackers can exploit this method to obtain extensive permissions on user accounts.

The risks extend beyond websites, with browser extensions and mobile applications also susceptible. Examples include scenarios where cryptocurrency wallets or VPN settings could be manipulated without the user’s awareness, as noted by Yibelo.

Here Yibelo gives an example of a Slack account takeover:

The attack’s simplicity—requiring only a double-click—makes it difficult to detect and prevent. To mitigate the risks, Yibelo says that developers can implement JavaScript-based protections that disable critical buttons until intentional user actions, like mouse movements or keyboard input, are detected.

Yibelo says that this approach adds a layer of verification, ensuring that sensitive actions cannot occur without deliberate user engagement. Over time, browser developers may adopt more robust solutions, such as introducing specialized HTTP headers to prevent context-switching during double-click interactions.

DoubleClickjacking highlights the evolving challenges in web security. By exploiting minor user interaction patterns, it underscores the need for continuous updates to security practices and protections.

Las Vegas Explosion: Military Soldier Behind Cybertruck Attack, Seven Injured - 2

Image by Maxime, from Unsplash

Las Vegas Explosion: Military Soldier Behind Cybertruck Attack, Seven Injured

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Law enforcement officials have identified the driver of the Tesla Cybertruck that exploded outside the Trump International Hotel in Las Vegas on January 1 as Matthew Livelsberger, a 37-year-old active-duty U.S. Army soldier from Colorado Springs, reported today Reuters .

In a Rush? Here are the Quick Facts!

  • Explosion killed driver and injured seven others; authorities believe it was a suicide.
  • Livelsberger, an Army Special Operations member, was on approved leave at the time.
  • Investigators are exploring terrorism links, but no definitive conclusions have been made.

Reuters reportes that the blast left the driver dead and seven others with minor injuries. Authorities believe Livelsberger acted alone and died by suicide before explosives in the vehicle detonated. Livelsberger, a member of the Army Special Operations Command, had been on approved leave at the time of his death.

The explosion, which occurred around 8:40 a.m. local time, followed the rental of the Cybertruck in Denver and a journey through several cities, including Albuquerque and Flagstaff, before reaching Las Vegas, according to Reuters.

We have now confirmed that the explosion was caused by very large fireworks and/or a bomb carried in the bed of the rented Cybertruck and is unrelated to the vehicle itself. All vehicle telemetry was positive at the time of the explosion. https://t.co/HRjb87YbaJ — Elon Musk (@elonmusk) January 1, 2025

Videos showed the vehicle exploding outside the Trump hotel.

The blast caused damage primarily inside the truck as the explosion “vented out and up,” sparing the Trump hotel doors just a few feet away, the sheriff explained to the AP .

CNN notes that the explosion shared similarities with the New Orleans vehicle attack earlier Wednesday, including a symbolic target on New Year’s Day, a truck rented through Turo, and a suspect with a military background. The FBI has said there is no evidence linking the explosion to the New Year’s Day truck attack in New Orleans, which killed 15 people, says Reuters.

Investigators are also exploring whether the Las Vegas blast could be connected to terrorism, though no definitive conclusions have been made. Livelsberger’s body was severely burned, and authorities are awaiting confirmation from DNA and medical records, reported Reiters.

Investigators found two handguns, military identification, a passport, and personal belongings in the vehicle. Livelsberger had no criminal record, and it remains unclear why he carried out the explosion. He was awarded a Bronze Star for valor and had completed five combat deployments to Afghanistan, as reported by Reuters.

Kenny Cooper, a special agent in charge at the Bureau of Alcohol, Tobacco, Firearms, and Explosives, noted to the AP, “The level of sophistication is not what we would expect from an individual with this type of military experience.”

Reuters says that while it’s still unknown why the explosion occurred. The AP reported that an anonymous law enforcement official revealed that investigators learned through interviews that the suspect may have had a confrontation with his wife over relationship issues shortly before renting the Tesla and purchasing the guns.