Skip to main content
HashnodeRafa's Security Researches

Command Palette

Search for a command to run...

AuxClickjacking

Updated
4 min read
R
Rafael da Costa Santos

In this small and fun research, I will show how I developed a Clickjacking technique that leaks iframe contents by prompting the user to perform a click and drag + middle mouse button (wheel) click. I’m not sure if it’s already being exploited, but for now, I’m calling this AuxClickjacking.

Select Text + Wheel Click

One day, I accidentally discovered a very useful feature on modern browsers: If you select a text and then click with the middle button of the mouse on any field/tab, the selected text will be pasted in that field. Since then, I've used this feature frequently, until one day it occurred to me whether I could abuse this behavior.

Iframe Abuse

The first thing I wanted to test was whether iframe content could be copied using this feature, and unsurprisingly, it worked:

I also noticed that an iframe with near-zero opacity can still be copied, which already hints at a potential clickjacking-like scenario.

Next, I wondered: “What if I simulate a click-and-drag interaction, but place a hidden iframe underneath, will its content be copied?”
The answer is no: modern browsers enforce a strict sandbox here. If you try selecting text across both the parent page and a hidden iframe, only the first source in the selection (the parent window) is actually copied.

So the real question became: “What if I can make the iframe the first source of the selection?”
And that’s how I came up with the idea to build an exploit inspired by click-and-drag mechanics used in many web-based games.

The Billiards Game

In this example, I’m leaking the contents of https://example.com: https://clickjacking1337.s3.us-east-1.amazonaws.com/index.html.

The core idea behind this exploit is to trick the user into performing a click-and-drag interaction to “shoot” the ball into the pocket. Visually, the user believes they are interacting with a simple billiards-style mini-game:

However, behind the scenes, the user is actually clicking and dragging over a hidden <iframe>, and to perform the “shot”, the game requires a middle-mouse (wheel) click, which will paste the iframe contents into our page. When the user drags the ball, they are unknowingly selecting the entire contents of the iframe, due to the automatic scrolling caused by the iframe’s constrained height.

The main limitation of this technique is that the first drag attempt fails because the initial interaction still happens inside the iframe’s DOM context. Fortunately, this behavior is detectable: once the iframe receives focus, the parent page triggers an onblur event, which allows the parent page to know if the iframe contents were copied or not. After the onblur event, the exploit can remove the iframe, leaving the user with a fully functional game interface while the selection event has already occurred. This way, the user will only think that it was a small bug in the game, and life goes on.

Below is a demonstration of how the exploit operates internally:

And here is what a real exploitation attempt looks like in practice:

Explaining Parts Of The Exploit Code

  1. The iframe must have scrolling="yes" and a limited height. This way, the browser quickly performs the selection and scrolling in the entire page.

  2. I’m using width="10000000" In the Iframe element, to avoid vertical scrollbars on it. This may cause the user to select the scrollbar instead of the iframe content.

  3. The Iframe opacity needs to be near zero, enough to be unseen in the page: opacity:0.01;.

  4. To leak the page data with the middle mouse button click, I’m creating a input element and adding a onClick event to it. This way, I can copy the pasted data:

     shotButton = document.createElement("input");
 shotButton.value = "Shoot Ball";
 /*More code*/
 shotButton.addEventListener("mouseup", (e) => {
     if (e.button === 1) {
         arrowCanvas.style.opacity = 0;
         launchBall();
         setTimeout(function(){
             document.getElementById("message-content").innerText = "Leaked Data :: " + shootball.value
             shootball.value = "Shoot Ball"
             shotButton.remove();
             shotButton = null;
         }, 1);
     }
 });

  5. To detect if the iframe contents were already copied, I’m using the following code:

     window.addEventListener("blur", () => {
   setTimeout(function(){
     iframeElem.hidden="true" // Prevents the iframe element from being selected.
   }, 600)
 });

Conclusion

This technique works in both Chrome and Firefox, and I can honestly say I would fall for it myself in a browser game.

More from this blog

R

Rafa's Security Researches

3 posts

My Security Research Portfolio