Cursor spoofing and cursorjacking

Today I’d like to continue clickjacking topic and review another kind of attack named – cursorjacking. It was introduced last year by Eddy Bordi. Attack compromising pointer integrity – the guarantee that users can rely on cursor feedback to select locations for their input events. One of the advantages of such attack vector is that target link could be visible and located at its original place. This make harder to identify an attack by robot and block compromised page. In addition it will work even if javascript is disabled in user’s browser.

The main idea of the attack is to replace user’s cursor with a fake one. Fake cursor should be shifted relatively to it’s normal position, so it will provide false feedback of pointer location to the user.

Normal cursor

cursor

Fake cursor

fake-cursor
Of course in real-world attack background will be not red, but transparent. Cursor replacement could be achieved in several ways.

Javascript version

Hide user’s cursor by using  html { cursor: none; } and have <img src=”path/to/fake/cursor.png” />. But then you have to manually track user’s real cursor position and place fake on its place. Btw, you may even have fake cursor looks exactly like real one (without any empty space on the left) – you can programmatically shift fake cursor while calculating its new position.

View Demo

CSS version

Another trick is simply replace cursor with our own by pure CSS .fake-area{ cursor: url(fake-cursor.cur) }. This allows attacker to perform cursor spoofing for some part of the page (but not the whole page as we saw in previous example).

But cursorjacking attack is not common nowadays because its hard to replace user’s cursor with exactly the same (visually) image. Different OS versions may have different cursors, in addition user’s may select their own custom cursors or OS themes. Also when attacker want user to click inside iframe (“Follow me”, “Like” and “+1” buttons are implemented as iframes), cursor changes due to iframes styles and therefore reveal user’s real cursor position.

Advanced cursor spoofing

As you may noted attack is too obvious for the victim, it will be better if we could hide cursor over iframe or at least minimize its appearance. What if we add another div element and make sure user will hover it once his cursor enters iframe area. And then we will remove/hide the div right before user’s click. There are two problems beside this approach: how will we track user’s cursor position when it enters iframe area and how do we know the moment right before user’s click.

First problem could be solved by “picking up” user’s cursor before it enter iframe area, so technically user will hover element from attacker’s page and won’t enter iframe area – there will be no cursor change and no tooltip.

Second problem is more challenging, but still possible to solve. Although there are no beforefocus event (so we can’t use trick from previous clickjacking vector) and no beforeclick event as well. But we can try to guess when click may happen. In order to make our guess more reliable, we can learn from user first. Let’s say you have a page with some text and dozen links on it, like a normal blog post. During post reading user opens some links, so why don’t use this information in our attack? Attacker can learn user’s behavior such as how fast user push left mouse down after he entered target area. Or how fast user moves his cursor (usually faster movements means faster clicks).

View Demo

Defence

Be suspicious and put your attention wherever you clicking on. It would be nice to have your own, custom cursor in the system, but this could be compromised by using social engineering or something.