More Info: This bug can be used to stop the user leaving the page, switching tabs, closing tabs, reloading page, even closing google-chrome, via the mouse.  

Attackers can then make websites that deliberately confuse users and convincingly trick them into thinking google-chrome itself is telling them to update their browser. and/Or to fake security credentials. 

Here is a video demonstration.

Description: Both the info popup and the chrome popup are bypassed, despite the user thinking they are clicking on the google-chrome buttons. Instead our fake menus are shown. Encouraging the user to click the big red button to 'update google chrome'. Instead our own file is downloaded. Called 'Google-update-installer.exe'. This could be a malicous file, that the user unwittingly installs. Believing it to be from google. 

Deleted: Google-chrome-line-of-death-bug.mp4 210 KB

	Google-chrome-line-of-death-bug.mp4 210 KB View Download

https://en.wikipedia.org/wiki/Clickjacking#Cursorjacking

How this works:

 Look at the custom cursor I used(cursor-space-2.png). It has a large amount of empty space below it. Using CSS you can change both the cursor, and the point where it clicks. I chose the bottom right corner..

So in this POC while it looks like the cursor is pointing to the menu button or info button next to the URL. In reality it is actually pointing near the top of the screen. 

Using this deception to our advantage: 

We can track where the user thinks the mouse is/vs where it actually is using JavaScript. 

So using the console, and click events. I was able to map out where the mouse was(in pixels) when the 'fake' cursor was on the google-chrome menu buttons...While in reality the actual pointer of the cursor is invisible and still in the webpage, below the 'line of death'. 

So I started mapping out chromes UI buttons. I started with that (i) to the left of the URL. first, get the buttons corordinates with our 'fake' cursor. Click to the left of the button, click to the right, click to the top, click to the bottom, display in console.  All the while the real pointer is hidden, and still on the webpage. 

Using this I wrote some  more code, => If 'mouse click event' (is between these two X co-ordinates) and (is also between these two Y co-ordinates) => then info button has been clicked. => Show own fake popup (info.png).

'This page is secure' ===> It most defiantly is NOT.

Ideally the attacker will make his own element, that looks just like a legitimate Chrome popup', and can easily use CSS to perfectly replicate the fade-in and zoom in animation. In the POC I have just used an image, and Animate.css library to crudely demonstrate this.

I also mapped out the menu button using similar code. This UI element is to the right of the screen, so we need to work from the right edge for one of the co-ordinates instead, The x axis. This is important because people have different sized screens or might just resize the window, moving the button further to the left. You can't check if it is between two co-ordinates on the x axis. But, The button will ALWAYS be a certain amount of pixels from the right of the window. So:

if 'mouse event click' ==> (is x axis 30px from the right?) and (is it also between these two numbers for the y axis?)==> then the menu button has been clicked ==>  show fake menu popup(menu.png) 

'UPDATE GOOGLE CHROME NOW 'BIG ANGRY RED BUTTON!'===> User:'I Better do what google-chrome tells me to, don't want to get a virus'

User then clicks the big angry button, prompting a download of our own fake 'google-chrome-installer.exe'. 

This is all plausible to the average user. I believe if refined, this POC could be convincing enough even to the more experienced and security aware users.


Note: I did not make the chevron/menu overlap the browser in this POC. But it may be possible using another custom cursor with the chevron+mouse on it. By preloading hundred of these with different positions, so that; When you click ==>JavaScript gets the click position ==>finds the correct pointer/chevron combo that will line up with our pop-up==> swapping the cursor in and out so fast it looks animated. the chevron maybe fades-in/out in like 120ms or less. This might fool users to make it look even more official. I have not tried this, but it is worth exploring too. 

More info on the 'line of death': https://textslashplain.com/2017/01/14/the-line-of-death/

I believe this is  Issue 640227 

Can also add this cursor on hover event, for more than 1 sec, change cursor to this 'secure-cursor.png' popup. dismiss on movement away from info in url bar.

Deleted: secure-cursor.png 3.1 KB

	secure-cursor.png 3.1 KB View Download

Re #c6: Indeed. Thanks elawrence@

I knew this was reported earlier but could not find the bug myself.

when was it reported? Out of curiosity I was wondering how late I was. I had been sitting on this for a little while. 

Also How long before I can write an article on it?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot