Where? View quoted note →

A New type of web hacking technique: DoubleClickjacking

Paulos Yibelo - Hacking Research

Paulos Yibelo - Hacking Research: DoubleClickjacking: A New Era of UI Redressing

data:blog.metaDescription

“Clickjacking” is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can frame another website, the framed site would be unauthenticated, because cross-site cookies are not sent. This significantly reduces the risk of successful clickjacking attacks, as most interesting functionality on websites typically requires authentication. DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header, CSP's frame-ancestors and SameSite: Lax/Strict cookies. This technique seemingly affects almost every website, leading to account takeovers on many major platforms.  In simpler terms, DoubleClickjacking leverages the small gap between the start of a click and the end of the second click in multiple windows without utilizing any popunder tricks. It is a sleight of hand. Attackers load (or open) a new window for a legitimate seeming reason—like a “captcha verification,” for example. Then, just before the second click is pressed, the malicious site can quickly swap in a more sensitive window from the same browser session (e.g., an OAuth authorization prompt), effectively hijacking that second click. There are many ways to perform the “swap,” the most reliable and smooth method I found uses window.open.location. One of the important pieces of this attack is exploiting the timing difference between mousedown and onclick events (favoring mousedown over click). The mousedown event fires immediately when the user presses the mouse button, while the click event waits for the complete click action so there is a few ms of delay we can siphon for the attack. One of the surprising things about doing it this way is it does not matter how slow or how fast the target double-clicks. favoring mousedown event handler allows exploiting this even for the fastest or slowest double clickers. originally posted at

Stacker News

A New type of web hacking technique: DoubleClickjacking \ stacker news

“Clickjacking” is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can fr...

Is the World Becoming Uninsurable?

Is the World Becoming Uninsurable?

You are receiving this email because you are a subscriber to Charles Hugh Smith / Of Two Minds.

I ask the question, "is the world becoming uninsurable?" not as an expert on the insurance industry but as a homeowner who can no longer obtain hurricane insurance, and as an observer of long-term trends keenly interested in the way global risks pile up either unseen, denied or misinterpreted until it's too late to mitigate them.  This is not an abstraction, though many are treating it as a policy debate. As noted previously here, the insurance industry is not a charity, and insurers bear the costs that are increasing regardless of opinions and policy proposals. Insurers operate in the real world, and their decisions to pull out of entire regions, reduce coverage and increase premiums are all responses to soaring losses, a reality reflected in these charts.  originally posted at

Stacker News

Is the World Becoming Uninsurable? \ stacker news

I ask the question, "is the world becoming uninsurable?" not as an expert on the insurance industry but as a homeowner who can no longer obtain hur...

Yum!

What are the best Nostr and Bitcoin marketplaces now? #asknostr

Earthstar - A database for private, distributed, offline-first applications

Earthstar

Storage for private, distributed, offline-first applications. Earthstar is a specification and JavaScript library for building connected applicatio...

Earthstar is a specification and JavaScript library for building connected applications owned and run by their users. Works offline.Store music, photos, video.Actually delete stuff.Temporary documents.Live syncing.Use one or many identities.Sneakernets.Always self-hosted.Servers optional.No blockchain.No tokens.Free forever, in every sense. Verification with ed25519.Works in the browser.Grant read-only access.Efficient sync.Streaming sync.One identity across many devices.Multiwriter.Storage drivers.Document write permissions.Deno.Node.  originally posted at

Stacker News

Earthstar - A database for private, distributed, offline-first applications \ stacker news

Earthstar is a specification and JavaScript library for building connected applications owned and run by their users. Works offline. Store music, p...

GM Nostr!

Thanks! View quoted note →