New issue
Advanced search Search tips

Issue 880863 link

Starred by 9 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Custom cursor prevents user from closing tab in browser locker tech scam

Reported by malwarei...@gmail.com, Sep 5

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Steps to reproduce the problem:
1. Open the attached example in Chrome
2. Click on the 'OK' dialog button that says 'Your Computer is permanently blocked' to gain focus for the current window
3. Try to close the tab or browser window

What is the expected behavior?
The user should be able to access the UI buttons in order to close the offending tab.

What went wrong?
The custom mouse cursor prevents the user from closing the tab. This is particularly worse when browsing in maximized mode.

Did this work before? No 

Chrome version: 69.0.3497.81  Channel: stable
OS Version: 7.0
Flash Version: 

Tech support scammers use this technique to lock users' browsers.

Browlocks are responsible for many tech support scams where victims that panic will call for assistance. Instead of speaking with what they think is Microsoft, they are dealing with scammers that will defraud them of hundreds of dollars.
 
browlock_custom_cursor.html
22.4 KB View Download
Cc: csharrison@google.com
Wow, this is evil. The cursor decodes to an offset pointer. Should this not be reset when you leave the content area?
download.jpeg
239 bytes View Download
This is amazing. Yes, the cursor returns when the user moves it outside the window, but it's offset so much that the user thinks they're moving it outside the window when they're not.

Should we be clipping transparency around the cursor?
Status: Available (was: Unconfirmed)
Cc: a...@chromium.org
Labels: OS-Chrome OS-Linux OS-Mac
We should be clipping transparency, possibly up to a percentage so that abusers don't make their transparency 0.001% opaque and avoiding a fix.

This is all desktop platforms.
As per https://developer.mozilla.org/en-US/docs/Web/CSS/cursor we should:

1. Clip transparency around the edges (transparency up to a clearly-visible level to avoid people easily getting around this)
2. Adjusting the hotspot values to match the transparency clipping
3. Bounds-checking the hotspot values and clamping them to the size of the image

Note that the hotspot values are, per the spec, "Two unitless nonnegative numbers less than 32". Why are images larger than 32x32 allowed, then?

The spec at https://www.w3.org/TR/css-ui-3/#propdef-cursor specifies no hotspot value maximum.
Here are the specifics:

- third_party/blink/public/platform/web_cursor_info.h has a "external_handle" field on WIN32. Rip that out. It's not used.
- why do we have content/public/common/cursor_info.h and WebCursorInfo? We really should remove one of them
- the fix from comment 5 should live in content/renderer/cursor_utils.cc's InitializeCursorFromWebCursorInfo
Come to think of it, even if we clip transparent pixels from the edges they'll switch to fully opaque pixels near the edges that blend in with the page. At the limit, we're solving a computer vision problem on the cursor image. We may need to put some upper bounds on a cursor size.

Cc: -csharrison@google.com csharrison@chromium.org
Cc: -csharrison@chromium.org
Owner: csharrison@chromium.org
Status: Assigned (was: Available)
I think it makes sense to land some initial metrics tracking cursor sizes. I'll see if I can take an initial look.
Sounds good. We should also look to see what other browsers allow for cursor sizes.
From the spec [1]:
The concrete object size is determined using the default sizing algorithm. If an operating system is incapable of rendering a cursor above a given size, cursors larger than that size must be shrunk to within the OS-supported size bounds, while maintaining the cursor image’s intrinsic ratio, if any.

[1]: https://drafts.csswg.org/css-ui-3/#cursor
Yeah. Other browsers seem to allow for huge custom cursors too.
I think Safari's limit is 128x128. BTW I made a quick test site:
http://cr.kungfoo.net/style/cursor/abusive-cursor.html
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/270b976afc30f4aa7498a82f34ad8c08212f49f3

commit 270b976afc30f4aa7498a82f34ad8c08212f49f3
Author: Charlie Harrison <csharrison@chromium.org>
Date: Wed Oct 10 22:19:30 2018

Add UseCounter for cursor size

Large cursors with transparency are being used to trick users on
abusive sites (see bug for more details). This CL adds use counters
to track how often large (> 32x32) and small (<= 32x32) custom images
are used on the web.

Bug: 880863
Change-Id: I631e308f08cd8a14d74fa9d9b6f08821e2839d03
Reviewed-on: https://chromium-review.googlesource.com/c/1272097
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Rick Byers <rbyers@chromium.org>
Commit-Queue: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/heads/master@{#598541}
[modify] https://crrev.com/270b976afc30f4aa7498a82f34ad8c08212f49f3/third_party/blink/public/platform/web_feature.mojom
[modify] https://crrev.com/270b976afc30f4aa7498a82f34ad8c08212f49f3/third_party/blink/renderer/core/frame/local_frame_view.cc
[modify] https://crrev.com/270b976afc30f4aa7498a82f34ad8c08212f49f3/tools/metrics/histograms/enums.xml

Labels: Needs-Feedback
Tried verifying the fix on latest chrome #71.0.3577.0 using Windows 10 by following steps as per comment#0. The fix of the issue is not seen consistently, below are the observations noted while trying to verify the fix.

Observations:
===========
1.Sometimes when the file is opened (reference: browlock_custom_cursor.html  in comment#0) it makes whole browser inactive, where no button works.
2.In case if the browser is active after opening the file, on clicking "ok" button and tried to close the tab then observed that it does not close the tab rather it focuses the text in the browser page.
3.On clicking the close tab button the tab gets closed after multiple trials.

Attached screencast for reference.
@Charlie Harrison: Could you please verify the attached screencast and let us know if anything is missed so that it would be really helpful in verification of fix.
Thanks.!
880863(M-70).mp4
3.0 MB View Download
swarnasree.mukkala@, this issue is not fixed. The CL in c#15 just adds metrics so we can evaluate whether a fix can be landed without breaking web compatibility.

I'll be sure to mark the issue as fixed when the final CL goes through, there will likely be a few more though.
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6072eb20a5d5007d5cc0a9ca316f7b23b95c660f

commit 6072eb20a5d5007d5cc0a9ca316f7b23b95c660f
Author: Charlie Harrison <csharrison@chromium.org>
Date: Fri Oct 12 19:01:02 2018

Add custom cursor image size to UseCounter ukm whitelist

This API is being used for abuse.

Bug: 880863
Change-Id: I122e23f589d62eecc01a4418db3573c53779de7f
Reviewed-on: https://chromium-review.googlesource.com/c/1275165
Reviewed-by: Bryan McQuade <bmcquade@chromium.org>
Commit-Queue: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599314}
[modify] https://crrev.com/6072eb20a5d5007d5cc0a9ca316f7b23b95c660f/chrome/browser/page_load_metrics/observers/use_counter/ukm_features.cc

Labels: Merge-Request-71
Requesting a merge of https://chromium-review.googlesource.com/c/1275165 to M71 (see comment #18). This was a one-liner change which will allow for metrics collection.
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 16

Labels: -Merge-Request-71 Hotlist-Merge-Approved Merge-Approved-71
Your change meets the bar and is auto-approved for M71. Please go ahead and merge the CL to branch 3578 manually. Please contact milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by bugdroid1@chromium.org, Oct 16

Labels: -merge-approved-71 merge-merged-3578
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c4d3d2abaf6ff083374c98fdafbb90a8da8743f5

commit c4d3d2abaf6ff083374c98fdafbb90a8da8743f5
Author: Charlie Harrison <csharrison@chromium.org>
Date: Tue Oct 16 14:31:19 2018

Add custom cursor image size to UseCounter ukm whitelist

This API is being used for abuse.

TBR=bmcquade@chromium.org

Bug: 880863
Change-Id: I122e23f589d62eecc01a4418db3573c53779de7f
Reviewed-on: https://chromium-review.googlesource.com/c/1275165
Reviewed-by: Bryan McQuade <bmcquade@chromium.org>
Commit-Queue: Charlie Harrison <csharrison@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599314}(cherry picked from commit 6072eb20a5d5007d5cc0a9ca316f7b23b95c660f)
Reviewed-on: https://chromium-review.googlesource.com/c/1283389
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#36}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
[modify] https://crrev.com/c4d3d2abaf6ff083374c98fdafbb90a8da8743f5/chrome/browser/page_load_metrics/observers/use_counter/ukm_features.cc

Cc: viswa.karala@chromium.org
Able to reproduce the issue on chrome reported version# 69.0.3497.81 using Windows-10, tried verifying the fix on latest Dev# 71.0.3578.10 using Windows 10 with steps mentioned below:

Observations:
===========
1. Launched chrome reported version, dragged and dropped the '.html' file provided in comment# 0
2. clicked on 'OK' dialog button that says 'Your Computer is permanently blocked' and observations are as follows
Observations:
=> Sometimes on clicking 'OK' on the popup, doesn't close the popup but we are able to close the particular tab(attached screencast for reference)
=> In some situations, on clicking 'OK' on the popup, closed the popup but unable to close the tab we are currently working on.  

@Charlie Harrison: Please verify the attached screencast for your reference and let us know if this issue is fixed or nor? (or) is there any other pending CL's for this issue?
Thanks.!
880863.mp4
2.3 MB View Download
viswa.karala: This issue is not fixed, and there is still a lot of pending work. As I mentioned in c15, I will be sure to mark the issue as fixed if I fix it.
Labels: Merge-Merged-71-3578
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/c4d3d2abaf6ff083374c98fdafbb90a8da8743f5

Commit: c4d3d2abaf6ff083374c98fdafbb90a8da8743f5
Author: csharrison@chromium.org
Commiter: csharrison@chromium.org
Date: 2018-10-16 14:31:19 +0000 UTC

Add custom cursor image size to UseCounter ukm whitelist

This API is being used for abuse.

TBR=bmcquade@chromium.org

Bug: 880863
Change-Id: I122e23f589d62eecc01a4418db3573c53779de7f
Reviewed-on: https://chromium-review.googlesource.com/c/1275165
Reviewed-by: Bryan McQuade <bmcquade@chromium.org>
Commit-Queue: Charlie Harrison <csharrison@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599314}(cherry picked from commit 6072eb20a5d5007d5cc0a9ca316f7b23b95c660f)
Reviewed-on: https://chromium-review.googlesource.com/c/1283389
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#36}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
I'd just like to point out that this wider security implications than just browlocking users.
By observing the mouse position and various user browser metrics (such as screen resolution and OS), address bar content can be predicated and replaced.
This can be leveraged for more elaborate scams.

Consider this quick-and-dirty PoC (not optimized for all screen sizes):
http://storage.googleapis.com/cdn.guard.io/tmp/poc.html

Comment 26 by csharrison@chromium.org, Nov 7 (6 days ago)

Labels: -Needs-Feedback
Status: Started (was: Assigned)

Comment 27 by csharrison@chromium.org, Nov 7 (6 days ago)

Quick update: I was hopeful we could just deprecate images larger than 32x32, but they seem to be used quite a bit (~.05% of page visits). One common use-case is large magnifying glass style UIs on e-commerce sites. 

I am landing more metrics to measure larger images > 64x64, which hopefully are an order of magnitude more rare.

It also seems like Chrome does not respect the spec wrt larger cursor images. We don't scale them down. Changing this behavior could help the deprecation process.

Comment 29 by a...@chromium.org, Yesterday (36 hours ago)

Labels: Hotlist-Abusive

Sign in to add a comment