Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites

Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.

de facto standard

I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.

Re:de facto standard

[omnichad]

Win32 apps change your cursor. And it's functional, not just cute crap. A web-based photo editor needs dragging handles, I-beam cursor, brush size indication, etc. The problem isn't the existence of the feature.

Re:de facto standard

[The+MAZZTer]

I'm so happy that Chrome is the new Internet Explorer. Looks at all of the great reasons to use Chrome.

Actually this exact same exploit should work fine in IE too, including really old versions back to IE6 if not further.

Re:Why was this possible again?

[omnichad]

How do you know when you're at a resizable corner of an object? Your cursor changes. Designing web based software, you need these sorts of things as part of your visual language. The only thing that needs fixed is the security of it.

Re:WTF?

[darkain]

Average users? Not so much. Not everyone grew up in the Win3.1 era where keyboard shortcuts were pretty much required to do anything meaningful in the OS.

Misconceptions

[The+MAZZTer]

Let me clear some things up:

1. Being able to change the cursor is a pretty important thing. You know how links turn into a hand when you hover over them? That's the main use. I myself have used custom cursors to provide intuitive help when the user hovers over a UI element. It shows you how to use it. Is it a resizer? What directions can it resize? Does it move something? Can you not interact with it at all? Is it a hyperlink? Is it text I can select?
2. This is something that could be exploited waaaay back to IE6 and probably earlier, and should work in every browser. Chrome is particularly vulnerable because alert boxes are not popup boxes which block the whole browser, to prevent pages from locking up the browser with alert boxes, so the cursors still show even when an alert box is up as the user has their mouse over the webpage. I presume at least part of the fix will be to disable custom cursors when an alert box is shown, since the user can't interact with the page anyway until it's dismissed.
3. This is pretty easy to get yourself out of once you realize what is going on. It works mostly by confusion. Users move their cursor up to close the tab or click OK on the alert, but the cursor is actually still inside the webpage. Once you move the cursor outside of the webpage, the custom cursor is correctly changed back to a standard one. However users see the cursor outside the webpage and think it is there (understandably) but it's actually inside, so the custom cursor remains in play. Chrome could potentially detect cursors where the hotspot is transparent and simply block those entirely, fixing this problem altogether, and I hope they do.
4. Custom cursors or standard cursor changes are entirely CSS and require no JavaScript to implement on a webpage, though of course JavaScript can be used to add or modify CSS at runtime. Blocking JavaScript will not completely protect you from this exploit.
5. If you think custom cursors are terrible, you are welcome to go to Windows Mouse settings and change all the cursor types to the default, and see how long it takes you to give up and change them back.

Re:Chat, Web 1.0 style

[aybiss]

Yeah, we actually don't want applications to run in web browsers. That's what you need to wrap your head around.

Re:Chat, Web 1.0 style

[mattventura]

It’s almost like Electron apps aren’t actually native apps, they’re just a web browser with less UI. Which is even worse than running it in an actual browser, because then you have the memory overhead of two browser runtimes and less sandboxing.

"locked in a browser tab"?

[JustAnotherOldGuy]

"...and lock users inside browser pages by preventing them from closing and leaving browser tabs."

Ummm, is it soooo hard to use CTRL-F4 to close a tab on Windows or Linux?

Locked in a browser tab, oh noes! So scary.