Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites

Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.

Re:de facto standard

[omnichad]

Win32 apps change your cursor. And it's functional, not just cute crap. A web-based photo editor needs dragging handles, I-beam cursor, brush size indication, etc. The problem isn't the existence of the feature.

Misconceptions

[The+MAZZTer]

Let me clear some things up:

1. Being able to change the cursor is a pretty important thing. You know how links turn into a hand when you hover over them? That's the main use. I myself have used custom cursors to provide intuitive help when the user hovers over a UI element. It shows you how to use it. Is it a resizer? What directions can it resize? Does it move something? Can you not interact with it at all? Is it a hyperlink? Is it text I can select?
2. This is something that could be exploited waaaay back to IE6 and probably earlier, and should work in every browser. Chrome is particularly vulnerable because alert boxes are not popup boxes which block the whole browser, to prevent pages from locking up the browser with alert boxes, so the cursors still show even when an alert box is up as the user has their mouse over the webpage. I presume at least part of the fix will be to disable custom cursors when an alert box is shown, since the user can't interact with the page anyway until it's dismissed.
3. This is pretty easy to get yourself out of once you realize what is going on. It works mostly by confusion. Users move their cursor up to close the tab or click OK on the alert, but the cursor is actually still inside the webpage. Once you move the cursor outside of the webpage, the custom cursor is correctly changed back to a standard one. However users see the cursor outside the webpage and think it is there (understandably) but it's actually inside, so the custom cursor remains in play. Chrome could potentially detect cursors where the hotspot is transparent and simply block those entirely, fixing this problem altogether, and I hope they do.
4. Custom cursors or standard cursor changes are entirely CSS and require no JavaScript to implement on a webpage, though of course JavaScript can be used to add or modify CSS at runtime. Blocking JavaScript will not completely protect you from this exploit.
5. If you think custom cursors are terrible, you are welcome to go to Windows Mouse settings and change all the cursor types to the default, and see how long it takes you to give up and change them back.