⚠️ Educational Purpose Only - This is a simulation of a X OAuth phishing attack using DoubleClickjacking
⚠️
X (X) OAuth Phishing with DoubleClickjacking
Challenge: Identify the DoubleClickjacking Attack
Educational Purpose Only - Phishing Simulation
Scenario Description
You receive an email claiming you've won a X Blue subscription for a year. The email contains a link
to claim your prize. When you click on it, you're taken to what appears to be a X OAuth
authorization page.
This simulation demonstrates a sophisticated phishing technique called
DoubleClickjacking, which can bypass X-Frame-Options protection that normally
prevents clickjacking attacks.
DoubleClickjacking is an advanced clickjacking technique that can bypass standard protections like
X-Frame-Options, SameSite cookies, or CSP. Here's how it works:
The DoubleClickjacking technique, discovered by Paulo Syibelo in 2024, uses a double-click event to
bypass frame busting and X-Frame-Options protections.
1
Authorization
2
More Permissions
3
Success
🔒https://xx.com/i/oauth2/authorize
Authorize X Rewards
TR
X Rewards
xx.com
This app will be able to:
✓See your username, profile picture and account
info
DoubleClickjacking is an advanced clickjacking technique that can bypass standard protections like
X-Frame-Options, SameSite cookies, or CSP. Here's how it works:
The attacker creates a page that looks like a legitimate verification or authorization page.
When the user double-clicks on what appears to be a legitimate element (like a reCAPTCHA
checkbox or "Authorize app" button), the first click is captured by the visible page.
The second click is then captured by a hidden element positioned over the button, which triggers
the malicious action.
This technique works because many frame busting techniques only prevent single clicks, not
double clicks.
How DoubleClickjacking Works
When you double-click the "Authorize app" button, the first click is intercepted by the attacker,
while the second click is directed to a page with more permissions.
First Screen (What You See)
Authorize X Rewards
This app will be able to:
✓See your username, profile picture, and account info
✓See who you follow
Second Screen (What's Actually Authorized)
Authorize X Rewards
This app will be able to:
✓See your username, profile picture, and account info
✓Post and delete tweets
Warning: You're actually authorizing the app to post and delete tweets on your behalf!
This attack is particularly dangerous because:
It can bypass standard clickjacking protections like X-Frame-Options and frame busting scripts.
It looks completely legitimate to the user.
Once authorized, the malicious app gains the permissions requested, which could include posting
tweets, reading direct messages, or even changing account settings.
You're showing excellent security awareness by being cautious. This is a safe simulation environment
designed to teach you about DoubleClickjacking attacks. You can safely proceed to learn about this attack
technique without any risk.
