Issue metadata
Sign in to add a comment
|
UI spoofing using large custom cursors
Reported by
juhon...@gmail.com,
Aug 23 2016
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Steps to reproduce the problem: 1. Navigate to http://lab.igi.tl/cursory-hack/index.html 2. Move the mouse around a bit 3. Click on the omnibox and start typing What is the expected behavior? What went wrong? The location of the mouse cursor is spoofed and the user unwittingly clicks on the HTML document when intending to focus the omnibox. When the user starts typing, the omnibox content is spoofed by animating the canvas that is used as the cursor. Custom cursors should not be allowed to escape the viewport. Did this work before? N/A Chrome version: 52.0.2743.116 Channel: stable OS Version: 10 Flash Version: The whole effect is demonstrated in the attached video clip just in case you're unable to repro it yourself. The hack is based on two previous publicly available examples: http://benjaminbenben.com/cursory-hack/ https://jameshfisher.github.io/cursory-hack/ I wrote my own just to demonstrate that the "feature" can actually be used to do something quite nefarious. I also couldn't find any previous bug ticket referring to the techniques used in the original examples.
,
Aug 23 2016
,
Aug 25 2016
Junov@, can you please take a look.
,
Aug 25 2016
This isn't really about Canvas, this is about custom CSS cursors, which are not limited to rendering all of their pixels within the untrusted viewport. I put up a modified version of the original: https://whytls.com/cursor/ which more clearly shows how that one works. Note that it works well on Windows, but starts to fall apart when full-screened on Mac or when you've elected to show the "Home" button. Prior bugs: https://bugs.chromium.org/p/chromium/issues/detail?id=47395 https://bugs.chromium.org/p/chromium/issues/detail?id=127783 As the "actual" hotspot leaves the HTML viewport, the cursor snaps back to the appropriate system default cursor. If we wanted to address this, we might consider changing our behavior when a CSS cursor is specified such that, as the cursor approaches the top of the browser, we switch over to the default cursor as soon as any pixel of the custom cursor (not just the actual hotspot pixel) exits the viewport.
,
Aug 26 2016
> we switch over to the default Or "clip" the CSS cursor so that it doesn't overflow the viewport. If it's possible.
,
Oct 5 2016
re-triaging to component CSS
,
Mar 6 2017
Issue 698547 has been merged into this issue.
,
Mar 6 2017
,
Mar 6 2017
Adding reporter of duplicate issue.
,
Mar 6 2017
Thanks for letting me view this elawre...(that's all I see as your username) I think the spoofing of the menu button is actually more worrying. Since you can trick the user into actually doing something directly malicous. IE downloading an 'update'.
,
Mar 6 2017
Also, I would like to write an article on this is that ok?
,
Mar 7 2017
Generally, we'd request that you postpone publication until a fix has been made. Having said that, this particular exploit is already public: https://news.ycombinator.com/item?id=12260444
,
Mar 7 2017
Alright great. Not sure how I missed that post. It will be interesting what people think of the menu spoofing too.
,
Mar 10 2017
,
Jun 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2018
I suggest this be given another round of consideration. To add another scenario, this page attempts to trick the user into thinking they've clicked on the lock-icon next to their address bar, when in fact they didn't: https://jonathansampson.github.io/browser-tests/hacks/evil-cursor/
,
Jun 8 2018
I came upon this issue when a family member shared with me a persistent-popup/fake-virus window while browsing Facebook. That page uses this method to make it difficult for the user to close the tab/window (due to the false-cursor's inability to click parts of the chrome).
,
Yesterday
(39 hours ago)
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Aug 23 2016