Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites

Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.

de facto standard

I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.

Re:de facto standard

Browsers support custom mouse cursor images for the sake of web games and to allow browsers to build immersive experiences

Bullshit. There is ZERO reason for a website to fuck with your cursor. Fuck you and your "web games" and "immersive experience" bullshit.

so disallowing over-sized cursors wasn't an ideal solution

No, preventing websites from fucking with your cursor is EXACTLY the right solution.

as it would have negatively impacted thousands of sites, if not more.

Oh, boo-fucking-ho. If you can't do things with a normal cursor you need to fuck off and die.

Re:de facto standard

[omnichad]

Win32 apps change your cursor. And it's functional, not just cute crap. A web-based photo editor needs dragging handles, I-beam cursor, brush size indication, etc. The problem isn't the existence of the feature.

Re:de facto standard

[tepples]

[Expletive] you and your "web games" and "immersive experience" [nonsense].

In what way would a reasonable person consider a "SORRY! This game is not yet available for your platform." screen superior to a web game?

Re:de facto standard

[The+MAZZTer]

I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.

Actually this exact same exploit should work fine in IE too, including really old versions back to IE6 if not further.

Re:de facto standard

[nazsco]

A huge LOL at everyone even thinking google did something to improve online games.

Their business depends on Ads. Some Ad agency called them and said "we need huge ass cursors for our new Ad masterpiece", and google rushed to comply.

You can have fun reading their public emails on the thousands of cases that they were required to provide emails as evidence, and i guarantee you will find one department's mass-email congratulating team so and so for the win of enabling big ass cursors on Chrome and unlocking many dollars from some Ad agency doing a campaign for some big name brand on AdWords or something.

Online games (and scammers) just scrape by, picking whatever falls on the floor from the mouth of Ads.

Re:de facto standard

[tepples]

Good games run locally, at least in large part

Provided that 1. the game is ported to your platform (it often isn't, particularly for minority platforms like X11/Linux and macOS) and 2. you have permission from the device's owner or in some cases the device's manufacturer to install the game (a user often doesn't).

Re:Why was this possible again?

[omnichad]

How do you know when you're at a resizable corner of an object? Your cursor changes. Designing web based software, you need these sorts of things as part of your visual language. The only thing that needs fixed is the security of it.

Re:Why was this possible again?

[olsmeister]

Designing web based software, you need these sorts of things as part of your visual language.

No. Just fucking NO

System-defined resize cursor

[tepples]

How do you know when you're at a resizable corner of an object? Your cursor changes

Ideally, one of the following would be the case:

A. The user hasn't yet whitelisted JavaScript on the domain and therefore the site neither knows nor cares where the user is "at".
B. The user has whitelisted JavaScript on the domain but not site-supplied cursor images. The site changes the cursor to a system-defined resize cursor, not an image supplied by the site.
C. The user has whitelisted cursor theming for this site. This would rarely happen except for games.

Re:System-defined resize cursor

[omnichad]

Cursor can also be set by CSS

Re:System-defined resize cursor

[tepples]

If an HTML document on a given domain is using CSS to set a cursor, but the user hasn't opted in to showing site-supplied cursors on that domain, it would start in state B.

Chat, Web 1.0 style

[tepples]

It's time to start teaching them the opposite lesson. Turn it off. If a site is broken that way when all it had to do was show you some text and pictures, or link to a video or two, that site was not your friend.

Without script, how would an HTML document representing a chat channel pull in new messages? As far as I can tell, it'd need to rely on an iframe that sends <meta http-equiv="refresh" content="10;url=http://example.com/" /> which would cause an annoying flash every 10 seconds as the entire message pane reloads from scratch.

Or would you instead prefer that the website offer a companion native app? Some sites do, but rarely for all relevant platforms (Windows, macOS, X11/Linux AMD64, X11/Linux ARM, iOS, and Android). And even on platforms where the companion native app is available, it's rarely RAM-efficient; I measured the Electron-based Skype for Linux app as using over 500 MB of RAM.

Or would you instead prefer that the website offer service using a standard protocol, such as IRC, to which the user can connect using an existing native application that the user can easily obtain for all major platforms? Limits of the IRC protocol include no avatar images, no chat history (even if a channel wants to use it), no sending files from a device behind NAT, and no reactions to a message.

Re:Chat, Web 1.0 style

[aybiss]

Yeah, we actually don't want applications to run in web browsers. That's what you need to wrap your head around.

Re:Chat, Web 1.0 style

[mattventura]

It’s almost like Electron apps aren’t actually native apps, they’re just a web browser with less UI. Which is even worse than running it in an actual browser, because then you have the memory overhead of two browser runtimes and less sandboxing.

Re:Chat, Web 1.0 style

[tepples]

Have a perfectly good chat system that runs locally and beats the shit out of whatever your "web chat" is doing. It works with every OS I've ever heard of.

How does a small team go about making "a perfectly good chat system that runs locally" on all desktop and mobile operating systems? And how do prospective users go about obtaining permission to install "a perfectly good chat system that runs locally" on the computers that they use?

Re:WTF?

[darkain]

Average users? Not so much. Not everyone grew up in the Win3.1 era where keyboard shortcuts were pretty much required to do anything meaningful in the OS.

Re:Why was this possible again?

The problem here is fully custom pointers. It's highly unlikely any non-game "web-based software" would be significantly affected by being restricted to only the non-url forms of this.

Your software can have access to system standard cursors without a security issue.

Misconceptions

[The+MAZZTer]

Let me clear some things up:

1. Being able to change the cursor is a pretty important thing. You know how links turn into a hand when you hover over them? That's the main use. I myself have used custom cursors to provide intuitive help when the user hovers over a UI element. It shows you how to use it. Is it a resizer? What directions can it resize? Does it move something? Can you not interact with it at all? Is it a hyperlink? Is it text I can select?
2. This is something that could be exploited waaaay back to IE6 and probably earlier, and should work in every browser. Chrome is particularly vulnerable because alert boxes are not popup boxes which block the whole browser, to prevent pages from locking up the browser with alert boxes, so the cursors still show even when an alert box is up as the user has their mouse over the webpage. I presume at least part of the fix will be to disable custom cursors when an alert box is shown, since the user can't interact with the page anyway until it's dismissed.
3. This is pretty easy to get yourself out of once you realize what is going on. It works mostly by confusion. Users move their cursor up to close the tab or click OK on the alert, but the cursor is actually still inside the webpage. Once you move the cursor outside of the webpage, the custom cursor is correctly changed back to a standard one. However users see the cursor outside the webpage and think it is there (understandably) but it's actually inside, so the custom cursor remains in play. Chrome could potentially detect cursors where the hotspot is transparent and simply block those entirely, fixing this problem altogether, and I hope they do.
4. Custom cursors or standard cursor changes are entirely CSS and require no JavaScript to implement on a webpage, though of course JavaScript can be used to add or modify CSS at runtime. Blocking JavaScript will not completely protect you from this exploit.
5. If you think custom cursors are terrible, you are welcome to go to Windows Mouse settings and change all the cursor types to the default, and see how long it takes you to give up and change them back.

Re:Misconceptions

Ah, there's two different issues:

1. Allowing the application/css to chose from a selection of approved cursors (e.g., resize, zoom-in, i-beam, hand, arrow); and
2. Allowing the application/css to load any arbitary SVG/PNG file and use that as a cursor.

Restricting (web) application to the cursors that have been set in Windows Mouse settings (i.e., allowing option one) is fine by me. Option two is where the trouble lies.

Re:Why was this possible again?

[Red_Forman]

The problem here is people.

FTFY.

Re:WTF?

[PPH]

> kill `pidof google-chrome`

Gets me out. Every time.

Re:Why was this possible again?

[omnichad]

Paint brushes with variable size and hardness.

"locked in a browser tab"?

[JustAnotherOldGuy]

"...and lock users inside browser pages by preventing them from closing and leaving browser tabs."

Ummm, is it soooo hard to use CTRL-F4 to close a tab on Windows or Linux?

Locked in a browser tab, oh noes! So scary.

 

Re:"locked in a browser tab"?

[DamonHD]

Why the snark? Do you get off on making other people feel small?

If people don't understand what's going on it can be worrying or worse. I suspect from your ID (if not your handle) that I may have been programming in assembler and using multiple OSes since before you were born, and don't happen to know that hot-key sequence.

Re:"locked in a browser tab"?

[DamonHD]

Maybe Windows is not all I (or these other people) use or do all day so why should we happen to remember obscure commands for the least nice and most flaky ones?

Can you tell me the equivalent for (say) C/PM, M/PM, the BBC Micro and a bunch of very common home computers, several mainframe OSes including some uni homebrews, several dozen flavours of UNIX with varying terminal settings since the 80s, Mac OS up to 9 and the current macOS, etc, etc? Plus embedded systems of various types from the 80s onwards? And (say) the common debugging tools in each? And some X.25 PAD escapes, and ssh, screen? Why not, it's obvious!

Just because you know one thing that's important to you, does not make it important or obvious to people with other priorities in life... Nor does it make it right to attempt to shame someone for not knowing,