Firefox gets fix for evil cursor attack

Tech support scam group found a way to abuse Firefox's previous evil cursor patch to enable new attacks.
Written by Catalin Cimpanu, Contributor
(Image: Mozilla)

Firefox fixed last week a bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and prevent users from easily leaving malicious sites.

The bug was discovered being abused online by UK cyber-security firm Sophos and reported to Mozilla earlier this year.

A bugfix was provided and has been live in Firefox since version 79.0, released last week.

What's an evil cursor attack?

The bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites.

This type of customization might look useless, but it's often used for browser-based games, browser augmented reality, or browser virtual reality experiences. However, custom cursors have been a major problem for the regular web.

In evil cursor attacks, malicious websites tamper with cursor settings in order to modify where the actual cursor is visible on screen, and where the actual click area is.

For example, mouse cursors can be defined to be as large as 256 pixels in width and height. An evil cursor attack is when a regular mouse cursor is shown in the top-left corner, but the click spot is defined in the bottom-right corner, to create a huge discrepancy between where the user sees the cursor and where the actual click is.

Evil cursor attacks are typically weaponized by operators of tech support scam websites, who use this particular trick to keep users trapped on their sites -- as victims can't close tabs and popups due to the cursor visibility-click discrepancy.

Google has been fixing evil cursor attack avenues in Chrome since 2010, with the most recent one fixed in March 2019. See video below of the 2019 evil cursor attacks in Chrome.

Evil cursor attack abused Mozilla's previous patch

But Mozilla, too, has been targeted. Before last week's patch, the browser maker fixed its last evil cursor attack entry point in 2018.

According to Sophos, the group who was abusing this latest evil cursor attack was actually exploiting Mozilla's previous 2018 patch.

Sophos said the attackers -- a tech support scam operator -- were creating an intentional infinite loop in their sites' code to prevent Firefox's 2018 patch from kicking in, effectively negating Mozilla's previous fix and opening the door for showing evil cursors again.

Mozilla has patched this attack vector now again, with the bug being tracked as CVE-2020-15654.

Say hello to the early days of web browsers

Editorial standards