Something exactly like this almost got me kicked out of school, first year.
I had just picked up Delphi and being the nerd I was, I wanted to make use of it anywhere I could. At the time, the Windows API was essentially completely open to mess with, and I had discovered a bunch of weird things, like the fact that setting (!) the mouse cursor position was even possible, and I knew the CD ROM drive could be opened with code as well.
I packed those things into a quick Delphi program, removed its main window (so like a daemon essentially) and then deployed it on our school computers (everything was open, I just put it into the Startup folder if I remember correctly).
Well, I had the daemon deployed on most computers eventually and it had a timer that looked up a file on the shared network drive, and depending on what was in that file, it would do something, or stay quiet in the background.
Since our IT classes were mostly just "doing stuff in Microsoft Word" (good old times), I couldn't hold off for too long and just added the magical "shakymouse" to the text file, a minute or two later, you would see everyone's mouse cursor start to wobble. It became next to impossible to hit a button or anything really, and I just had the time of my life as the teacher scrambled around to figure out what in the hell was going on.
I then changed the text file to "cd" and everyone's CD drive opened (one after the other as they all slowly picked up the command). It was SO AMAZING (just the choreography of it all), I literally almost shit my pants out of excitement.
Problem was, there was only one person in the entire school they felt was capable of such nonsense, so they had me at the principal's office an hour later. They made a big show out of it, and told me to go home as they'll come up with a punishment and they'll also need to talk to my parents.
I thought I was in massive trouble, didn't sleep at all that night. Next morning, I'm back at school, principal wants to see me, tells me I am free from having to attend the IT classes, as I clearly don't need them, and this reduces the chance of me getting bored. So it worked out quite nicely after all. Lesson learned... CRIME PAYS!!!
The network space on my university campus was flat and unfirewalled - one big /16 on which every device had more or less unfettered access to every other device.
Sometime in my senior year, I read that there was a PJL command that could set the ready message on networked HP printers.
Naturally, I wrote a script that walked the entire /16 and would attempt to set the ready text to "Low Toner". My girlfriend convinced me not to run it, so I changed it to "Low Mayonnaise" and ran that instead.
For the next few weeks, seeing "Low Mayonnaise" on printers was a pretty common sight. It disappeared on its own as printers were reset, or error conditions triggered, but it did feel pretty satisfying.
This sounds super similar to a prank I pulled in high school.
At school, it was sort of a cat-and-mouse game between the students and the sysadmin. Kids would find new ways of evading the school blocks (different proxies, someone getting a bypass login, etc so they could access myspace) that the admin would then catch a couple weeks later and close. A lot of these proxies were distributed on the fileserver that was shared between students.
One day, I wrote a small piece of software in my programming class (in VB6!!) that would wait a random length of time, and then open and close the CD tray. I wrote a short batch script that would copy that file to startup and then open the current popular proxy software. I then changed the icon on that script and placed it where people expected to find the proxy software, giving them reason to run my script.
Students then unknowingly disseminated my software all over the school, and the next day (after PCs were rebooted overnight) the software would take effect and randomly open/close the CD trays of computers all over the school.
They ended up tracing it back to me (windows user permissions/ownership, probably) and I was promptly banned from computers at school through the end of the year and for most of the next.
VB6 was the worst and best kind of software. You were NEVER (even as a professional) sure if it ran on the other/target machine, so you just hoped for the best.
Also, I quite like the cat-and-mouse analogy you mention, because I feel it was (mostly) a harmless way to hone skills, to level up knowledge essentially, with a (at the time) reasonable amount of risk involved, which kept it exciting enough to learn more. It would be cool to see schools have a bug-bounty type of environment here or there, just for those few kids who actually want to spend their time on getting better at networking.
Luckily the school was rather new so all of the PCs across the entire school were identical, whether they were for a teacher's use, the programming class, or the graphic design and yearbook clubs so I was luckily able to avoid any of those shortcomings.
Cant say my school had anything of the sort (they'd prefer to punish and force you back in line with other students) and while I like the idea, I know that in HS it'd feel too akin to snitching on my classmates to participate in that.
We had a battle with the sysadmins, we trying to do pranks and the sysadmins trying to find us. This was around 1996 or so (I remember this because Quake had just come out).
Anyway. I remember us communicating with the sysadmins by writing small messages in files we where not supposed to be able to access.
Hah, I had a similar experience. Got kicked out of one class, changed to a keyboarding class because I could already type fast. Easy A, right? Well, the computers didn't work very well and I'd fix them, and leave a signature where I'd been. Teach was a little flabbergasted when I'd be sitting at a "broken" computer but no matter.
Don't tell, but I knew how to pop into windows and play games, and the machines were networked so I had everybody's classwork sitting right there. They can't catch you cheating when the assignment is to copy the same damned text. Teach lost me on day 1 when I did 65wpm on the 5wpm test, all like "no, you can't skip ahead, you've demonstrated can type at 5wpm, now you need to take the 10wpm test"
But then they taught us how to use macros in a word processor. I don't know how or why, but the computers had a shared namespace for these macros. We were only supposed to use them, but I figured out how to make and edit them. Told a friend about it. The friend promptly changed the macro the class was meant to use. With recursion. And that was Trouble. Who gets the blame? Kid with their name on all the autoexec.bat files, that's who.
Shortly after I got back from suspension, I talked to the IT guy, and became his unofficial TA, and fixed computers during that class period.
> I don't know how or why, but the computers had a shared namespace for these macros.
They were saved in the "normal" document template, probably, I guess shared to the network drive. My first tech job was interning with an insurance company which had some important VBA script saved in the template. I want to be charitable, but it was almost certainly out of cluelessness... the macro even included a check to only do anything when run from a specific document, so it's not like it was meant to run from every document.
Of course I didn't realize this and it bit me when I dutifully made a copy of the document before editing the macro... only to break something in "production" (or what passed for it...) and get yelled at for it.
Tangentially, not too long thereafter I replaced most of my job (and that of half my six-person team) with a short M4 macro (secretly, of course). Freed up many hours during the workday to work on my Perl chops and figure out how to get one of those sweet "GMail" invitations.
This is hilarious. I have another somewhat related story.
Back in 7th grade I stumbled upon the "net send" command. So, bored in the back of class one day, I sent a few messages and saw them pop up simultaneously on all the computers. I thought it was pretty funny. I didn't sent anything vulgar. Just something like, "yo", and "it's Evan" (yes, I put my name).
Well, turns out I sent those messages to every computer in the district. Three elementary schools, one middle school, one high school, and the administration building.
Maybe 10m later someone from the IT team came and asked who had computer #XX. Obviously was me. Principal claimed I hacked into all the computers and said he'd call me back in for an appropriate punishment.
Nothing ever amounted to it. Never got called back in so I had no repercussions.
Back when I managed a call center, we were just integrating some new messaging software. This was very old-school, IBM 3270 dumb terminals hooked up to the mainframe.
One of the team leads was trying to figure it out, and sent a message to her group saying, 'if you can read this, please raise your hand.'
Of course, she got it wrong, and sent the message out to the whole corporation. No safeguards against that, at the time.
Nothing bad happened, other than severe embarrassment. But I still smile at the thought of the marketing department setting in their offices, hands raised, wondering if it was safe to lower them yet...
Hah! I did the exact same thing when I discovered the “net send” command. Only me and my friend were playing around so we sent eachother messages like “I know where you live”..... the school tech was cool with me so I didn’t get punished, but quite a few admins were freaked out by these strange messages appearing on their computers.
I discovered and did the same thing (except I didn't put my name they just found where I was seated, poor school, very regimented computer lab). I got suspended. Guess we get different treatment for curiosity after all.
Similar for me, but I was always a bit morally dyslexic and decided to send “This school has been hacked” or some such. This was before computers were really used in school much other than the 1 computer room to teach touch typing and/or some basics, so our school didn’t have a proper IT team but instead used some local external support business. The school panicked and shut down every computer and printer until they could come “fix” it.. 2 days later.
I got suspended for a week and banned from the computer room for a year.
When I was 12, I found out about `shutdown /i`, which opens up a GUI where you can enter target IP addresses.
Obviously I had to try it out in class. Each computer room in school had its own IP range, so it was easy to target all PCs in the current room.
At the end of the class, I shut down all PCs - it worked!
I told a friend how I did it - of course he had to tell the others in class.. so the war began and everybody shut down their neighbors PCs!
We then invented "defense scripts" in batch, which basically ran `shutdown /a` in an infinite loop to cancel any shutdown requests.
In the end, the administrator disabled the shutdown command - the official reason was potential harm we could do concerning A-levels.
Wow. One time in highschool I ran Rainmeter (a harmless HUD program: https://www.rainmeter.net/) from my flash drive on a school computer to show a friend. The next day I got called up to IT because they apparently had software listening for any foreign executables (but not actually blocking them?), and policy was to suspend me from school computers for two weeks. I was taking a CS course at the time, so for two weeks I just had to sit there in class doing nothing.
When the IT guy talked to me, he even said he'd seen Rainmeter in a magazine and tried it out at home and thought it was pretty cool. But the admins had watched Hackers too many times, it seems, and thought it appropriate to treat me like a delinquent :P
Edit: Looks like Rainmeter is still alive and kicking! Maybe I'll give it a revisit
This was close to the way my high school chose to deal with process gaps. Luckily, the two IT guys were more than happy to help me out - I could get off scot-free if I just showed them how I'd done it.
They blocked executables on floppies, but if you copied something to a floppy as a .txt file to My Documents and renamed it, it was runnable.
They then blocked executables in My Documents, but if you put in a batch file, that'd still run.
They then blocked batch files, but if you created a shortcut to "cmd.exe" and ran that off a floppy, you got a shell prompt, from which you could run whatever you want.
They then blocked executing "cmd.exe", but the initial response didn't also include "command.com"...
_Unfortunately_, at that time, I'd already discussed the "cmd.exe" loophole with them, and the "command.com" loophole was basically the same thing that I'd already been told not to do... so I got detention for this one, and promptly stopped.
Oh yeah, the school admins were always (probably all around the world) a special bunch of people. From complete bureaucratic permission junkies, to those who opened the doors for curious students to hack around, experiment and in general just talk shop with a grown-up (of sorts). At the time, I felt it was so hard to find people to learn from, everyone was just playing games or hating computers. So those people could (sometimes) be a beacon of light in a not-so-nerdy world.
In another school (where IT was much more advanced, likely a lot like you've encountered), I put a file called DukeNukem.exe on the school-wide network share, and it didn't take long for people to discover it. It just showed an error, game needs some extra permission, and asked you to enter the password to try again. Well, people did that of course and the game didn't work. But another file on the network drive collected EVERYONE's password, one after the other, it took a few weeks until they caught me. They were able to use some Novell admin ninja something something to figure out who placed the file there and again, I was kicked out of IT classes, no other harm.
Rainmeter is awesome! The scripting to make your own desktop widgets is so simple to learn even my non technical friends who use rainmeter can make/modify stuff. I think it's a good example of how to make "code" accessible to non-coders
> Problem was, there was only one person in the entire school they felt was capable of such nonsense
I found myself sitting in the vice principals office, as a kid, all alone with his password under his keyboard. I thought long and hard about going to the local library, dialing up to the school network (modem days) and changing a bunch of grades of students to improve my GPA. That reason you called out is the only reason I did not. All eyes would be on me.
So I resorted to just mild pranks
- took a virus from my library and submitted it with homework
- found someone trying to install sub seven on my girlfriends computer. I reverse subseven’d him and socially engineered him to give me his address. Used mapquest and showed up at his house
- made a fake virus that pretended to run format c: on my moms computer. My mom had the principals office call me out of class in 6th grade. I remember laughing my ass off that I got called out of class for that prank
- in college I wrote a program that would split up audio files into variable lengths up to 1 second and send them to a list of servers (sun ultra 60s) then run auplay to play the audio of the files out of the speaker. The controller would keep track of which system had which part and would plAy the audio in sequence across the various systems. The sun servers were lab computers with users on the console. Imagine their surprise when Mega TeamFortress sounds start playing in surround sound out of all of the systems around them.
- scotch tape over the very end of Ethernet cables on desktops (fun!)
- vb or c# program that “jiggles” the mouse pointer. I made a coworker throw out three mice because of it
- redirecting a coworkers network drop to a spare Linux computer in my office running tc introducing random latency
- control-alt-down on windows computers
- random times in cronjobs that runs shutdown or randomly kill shell process on unix boxes/accounts that were left unlocked
There’s probably more, but whew I haven’t pulled a prank in over a decade!
One of the demo sounds shipped with SunOS was a little metallic "ding" which, if repeated fast enough, would sound just like a cooling fan with a loose bearing. When my co-worker across the way complained about a noise from his machine I told him to hit it on the side; he did, and of course the sound "stopped".
Might have been several days later when I got busted from laughing when hitting his workstation as hard as he could didn't "fix" it anymore. I have no idea how that hard disk survived.
Back in high school, I thought it was hilarious to swap around the numerals on the keyboard. My two favorites were: moving 0 to the beginning of the number row and shifting the remaining keys over by 1, and swapping the numpad to telephone order with 1 at the top left. Much more logical layouts if you ask me. Alas I don't think I got too many people with that one because our logins included our graduation year...
My two favorites on that list clearly are: scotch tape on ethernet cables (what a horrible, horrible ...yet so fantastically effective idea), and cronjob shutdowns (why did I never think of that).
Huge congrats to the principal and council. This is not what I expect to see from schools usually (a big part of my family works in edu) and this is exactly what they should have done. Even better they should have asked you to give some lessons and start actively be part of the course. But this would require the program to be a little more profound than text editing and office automation.
We had Windows machines in around 94. They booted to some kind of menu where you could do various things I don't recall...and boot Windows. There was a problem with my friends machine one day and I saw the IT admin type a ludicrous single character username and password to get into this boot menu.
So I used it to have a look around and change the startup message to insult a friend. Then I told him how...and he told everybody. Next day all of the machines had obscene messages, and someone was caught doing it, they said my friend told them, and he told them that I told him. Thanks buddy.
I remember being terrified as I told the deputy head how I 'cracked the code', but I think I just got a detention.
Similar thing for me in college, when it came to punishment they asked, "what sort of reprimand do you think you would get in the work place?" And i replied with "sent home with pay?". They weren't impressed.
My high school claim to fame was a VB.NET application I wrote during class that would connect directly to my server to download flash games since online flash games were constant cat and mouse. I had hotkeys so you could hide the whole thing from screen and taskbar on a whim. My flash repository was still getting hits for years after I graduated, though that tapered off a little while ago.
I burned some CDs with an autorun executable written in VB6 that would play a certain Rick Astley number at maximum volume until the user logged off. Left them lying around with various enticing labels. The result was as predicted. Unfortunately, as in your case, I failed to realize that the list of students likely to do such a thing was a very short one indeed.
Later on in my school clown career, I reconfigured the printers to add a giant “CONFIDENTIAL” watermark across every page. This was the day before an important coursework deadline. That one did not go as planned: clients that had cached the malicious settings kept sending them back to the print server, and it couldn’t be fixed until everyone went home for the day.
Back in the day, my highschool had two classrooms with computers, but they were not connected to the internet. For that, there were two (for a school of ~1800) computers in the library that you could reserve for a 15m block. They both had a 14k4 modem to dial in.
Interestingly, all of these computers were wired to a LAN. It didn't take long for me to install a proxy server on one of the library machines, allowing me and my friends to use the internet in the computer classrooms.
At some point the system administrator (who was also a German teacher) saw us browsing the web. Instead of getting mad, he just laughed and offer to pay me a bit of money to properly set this up for everybody.
Haha, this sounds almost exactly like my Delphi story - just I didn't target the mouse.
Instead, I did target each keyboard's keys which - when being pressed - would play a sound using internal speakers. Deployed it on all devices in the room and once class started, we had a lovely concert going on.
That’s a good story. In middle school I got similarly called to the principal’s office and threatened, but literally all I did was send messages (and nothing particularly menacing or inappropriate) to other computers using the Novell client software that was installed on every PC at school. You had a lot more fun!
Had a classmate get suspended for this same exact thing. He sent a message to EVERYONE on the network, but I don't remember what it was.
They promptly removed the Novell software from the start menu, but left the app installed. Some friends and I knew how to find it still and could still message each other during class.
I got only suspended for two weeks because I pressed E in the grub menu and booted linux with a root shell. I told my teacher that their installations are basicially not secured at all and he didnt understand anything what I tried to explain and send me to the school manager which accused me of hacking the school network.
This sounds very familiar. In my final year at school I was given privileges to 'monitor' the school's computer lab over lunchtimes. What that amounted to was really just reminding the other students to save and leave before the afternoon lessons started.
I thought better and that I could automate this task by writing a small background task in VB (4 or 6, I can't remember which year/version) which would listen for commands on UDP.
One such command would initiate an immediate shutdown. Without prompting the user to save open documents.
Only once I issued that command to the entire lab.
I didn't take long for everyone to find out who did it since my own machine was still logged in and working.
The next day I removed the process from the machines lest I get myself in any real trouble.
Automating things was quite a thrilling thing to do at the time (before one was paid to do so). And UDP in VB, holy moly, some seriously advanced stuff (at the time).
Hah, I did something sorta similar in my freshman year of high school - I noticed that emails sent to the whole school were sent to mailing lists (in gmail's terminology - not sure what this kind of address is in actual email standards) called "allYYYY.student.school.org", where YYYY is the graduation year of a grade and student.school.org is the domain all our student emails were at. I hadn't seen that kind of email address/mailing list address before, so I wondered whether it was just a legit email address as well. It turned out it was (it was for a google group in the domain also called "allYYYY" IIRC) so when I sent an email with subject line "Hello" and body "?" to allYYYY(at)student.school.org to see if it would give me a mailer daemon response, that got sent to all ~800 people in my grade, some of whom promptly started replying to all. Eventually a couple kids started sending edgy memes, so I was called into my dean's office and asked to forward them the whole thread so that they would know they weren't missing out on anything "dangerous" (I think the main one they were concerned about was a picture of someone shooting a gun with the caption "I would literally die if a guy did this to me"). Then they locked down the capabilities on the google group, so no more unapproved email campaigns :(
Reminds me of the time I naively did "net send *" to send messages to a coworker such as "What's up dog?" at a US Air Force base hospital (I was summer hire working in the warehouse). My coworker got a kick out of it, but apparently every computer in the entire hospital was on the same domain and two frantic IT NCOs came bursting into the warehouse trying to figure out who was sending the messages. Apparently the group commander's computer was getting them too...
I cannot imagine this taking place in this day and age. The principal would have you marched out of the school escorted by police and charged you with a federal crime or something.
Oh, the fun we've had in computer classes in school... Out high school was math-oriented, so there's a bunch of 14 year olds who spend 6 hours a week proving theorems and lemmas – and learning a local dialect of Lisp made by our school stuff. Obviously, there were a long of shenanigans, trojans, and DOS attacks, but the best part was when my classmate got so annoyed by his PC restarting for the third time just as he logged in and opened his IDE third time in a row, he physically attacked a classmate who he thought was responsible. (He wasn't, it was me, from another classroom). After that, our whole class was downgraded to DOS as collective punishment.
I taught some friends how to code in high school and they went to do some prank like yours.
Of course they called me out of all the students and basically just told me "we don't care who did it, just remove it".
Another time someone downloaded pr0n on their account and pretended someone framed him; I was then confronted by the school bullies on why would I do such a thing.
I brought Sub7 into my high school in the early 2000s and just used it to mess with some friends. Harmless stuff like opening Notepad and typing into it.
Well someone else discovered it and did a bunch of damage to a bunch of machines and got into trouble, but I got off clean as a whistle. Sticking to gray hat kept me outta trouble.
> At the time, the Windows API was essentially completely open to mess with, and I had discovered a bunch of weird things, like the fact that setting (!) the mouse cursor position was even possible
It's still possible, I did that a couple months back while making Cyberpunk 2077 hacking mini-game autosolver
Oh that's interesting to hear! I assumed that most things have probably been shielded off behind UAC and similar things (like the Mac keeps asking to allow certain apps to even read the screen or access the Desktop now).
I received a similar summons to the principal's office for using the "netmsg" DOS command to send a single character, the letter q. I had intended to only message my friend in the same room but it went to every computer in the school.
On Windows 95/98 there was an API call that hid your process from the taskmanager (intended for services, IIRC). Used that trick on my "fun" Delphi programs.
My 2nd grade teacher accused me of "hacking" the Commodore 64 when she caught me showing another kid how to write a "what is your name" program. (Of course this same school unplugged all their C64s on Michelangelo Day so you can guess their level of tech training.)
I never did it at school but there was always the "fake prompt" trick. Do a few fun things -- throw up fake syntax errors (including transposing characters the user typed correctly) -- print out some rude error message or "formatting drive..." -- and then silently hand control back to the real shell.
You’d be surprised. I bet my elementary school teacher that I could hack their floppy based “email” system once. She felt confident since it had an administrator password.
I figured out that if you removed the floppy before you tried to log in, it would assume you were setting it up for the first time. Then you enter in a new password, put the floppy back in, and hit enter. It overwrote the admin password and poof. “Hacked”. She was not happy. I wish I could remember more details but as you can relate it was a long time ago :)
did something similar, with delphi, using winapi but also used opportunity to learn network sockets so the daemon was controlled using telnet. and instead of deploying it to the lab I was just showing it to those who were interested, so didn’t run into problems with teachers :)
- pushed in my USB drive with autorun to copy files ( it was related to a dare)
- someone was a bully. He talked about nfs 2. Sub7 him and deleted his saved games of it( a website catched his IP in logs, also msn could see the ip connected during a file transfer at the time - unrelated). I laughed silently, when he complained at school.
- distributed the twilight and crazy bytes CD/dvds at school. They compression was amazing! ( I know it deleted assets too)
My desktop contained 3 cd writers to burn things. Later on 3 dvd-writers.
- Didn't fiddle with hardware too much. But i remember doing modem bonding for double speed. I quickly stopped because my parents found out ( 2 phone lines occupied) and because of the high price... 5,6 kb. * 2 felt insane. It was a normal model though and seems a bit weird, telling it. Did anyone do this too? ( Don't remember it very well)
- chat logs of msn were amazingly simple and nice at the time! Xml with dtd. I still use it for a lot of things for templating client data and even generating html from it. Most useful thing from then, that i still use.
It's a fun trick, but to reassure anyone who's panicking right now, it's not actually moving your cursor
It's hiding your cursor while it's over the site, rendering an <img> of a mouse cursor at its location, and then moving that around a) when you move your real cursor, and b) with random perturbations
Note to the author: the illusion would be even better if you used the user-agent to render a system-accurate mouse cursor ;) (on macOS the real cursor is black and the fake one is white)
> Note to the author: the illusion would be even better if you used the user-agent to render a system-accurate mouse cursor ;) (on macOS the real cursor is black and the fake one is white)
You're right, it would make the illusion better. I developed this on Ubuntu where the default cursor is black, and I did consider doing this. Eventually decided to just use the default white cursor from Windows because it has better contrast on the dark color scheme. I guess I could set up 3 different color schemes for 3 different cursors for Mac, Linux, Windows, but it may be a bit too much work. I think most people who notice the cursor is different will just think "oh, this website uses a custom cursor", they won't necessarily realize that it's just an image.
Even better would be to use the fullscreen api and mouse capture api to trap the mouse for real. Then you could render fake browser UI and do whatever you want when people try to click on it. If you really wanted to mess with people.
Yeah but I bet at least half of people wouldn't notice, especially if you put something interesting on the other side of the screen for a second. Or you could render a bunch of overlapping fake warnings all over the screen, making it difficult to find the real one. Or you could put an exit fullscreen button and pretend to exit fullscreen when clicked, but you're actually still in fullscreen. Etc. I should probably stop giving the malware guys ideas...
> Note to the author: the illusion would be even better if you used the user-agent to render a system-accurate mouse cursor ;) (on macOS the real cursor is black and the fake one is white)
I've already seen sites that change the cursor's appearance, so I wasn't particularly "shocked" by that (I'm on a Mac).
However, what should improve the illusion would be to not move the cursor outside of the view area.
It's a bit odd to me that it doesn't ask for any kind of permission on Chrome, just that a user click initiates it. It does briefly pop a hint that "<esc>" will release the mouse.
I mean it was obvious by looking at the inspector if you have firefox. It's funny, I was able to "click" the how does it work button even though it makes it look like you can't mouseover it.
Also, kind of obvious given I use a gtk+3 dark theme and the mouse they use is white.
Not everyone here is a web dev who's familiar with the inspector :)
With the genuine browser security concerns that do exist out there (and the often-exaggerated narrative around the degree of the problem), it's worth being explicit that this is not actually a real one
I used Mac OS for decades before switching, but I changed my Windows cursor to black because I'm used to it and I genuinely think it makes more sense with most backgrounds being light colors.
I'm not sure what the panicking would be about being able to move the cursor inside the website.
I had assumed there would simply be Javascript calls for this. — how is it a problem that this be possible? that it can make one click on links that can be activated with Javascript on their own already?
Of course it could move one's cursor outside of it's own rendered page that would be problematic, but this trick cannot simulate that either.
There are no web apis to move a cursor within a web page. That means if you see a website moving your cursor, you see a website doing something it's not supposed to be able to do, and there's no reason to assume that that ability would be limited to the browser window or merely one tab in the browser. (Of course this website does not move your cursor.)
It's extremely easy to check because the effect stops outside of the website window itself or when the tab be switched?
And even if there is no a.p.i., when a website does it via some creative hack then one can assume the hack is most likely to work inside it's own window only.
And finally, how would the average layman no there is no such a.p.i.? even the expert could not be sure it wasn't added yesterday.
I really cannot see why the first response would be to panic and think the website somehow found a way to tell the web browser to make X11 calls to move the cursor, which is quite unlikely; the first response would be that there is an a.p.i. to move the cursor inside of it's own window, which is harmless, and after that that there is a creative hack to simulate it, and again, it's very easy to verify whether the cursor can be moved by the website once it leaves the browser window, and it cannot.
The most it could do is fool you into thinking your cursor is somewhere else within the same web page, which the malicious dev in this case would already have total control over. If they wanted to fool you into clicking something, they'd have an easier time just mis-labeling the button
Since this can make you think your cursor is in a different position in the page than it actually is, couldn't it potentially be used to mislead you to click outside the page as well? Possibly not into browser chrome[1], but what about on a iframe?
Place button A the user wants to interact with at position (X,Y), place iframe button B at position (X+W,Y), with as little a border as possible with the rest of the page, then offset fake cursor by -W. User will try to mouse over button A, mistakenly mouse over button B, and click it in the time it takes to register that the mouse pointer just jumped from the edge of one button to the edge of the other...
[1] Though I can see the trick below maybe working for some browser's permission request "tooltip" UIs...
Clever. I really like the dodge around the "how this works" button.
What the site almost certainly does is hide the real cursor and display a "ghost" cursor that it then can move arbitrarily. Once you approach the edge of the site, the illusion breaks down, because your cursor will reappear when the real, not the fake, cursor leaves the site.
It was a bit more obvious for me because my default cursor looks different from the graphic the site uses for their "ghost".
With a user gesture (which the click on the button would be), the site can also take a pointer lock: https://mdn.github.io/dom-examples/pointer-lock/
(but this shows a browser-controlled "this site is controlling your pointer" message).
I've tried on Safari 14.0.3 / Mac OS 11.2.3 and while the cursor does appear to move, its actual position, as determined by what happens when I actually move it, doesn't seem to change.
For example, if I manually move the cursor almost to the top of the page, but not quite, it will move around. Sometimes it disappears "under" the fixed part of the browser. But if I attempt to move it manually, the cursor "teleports" to where I initially left it.
Hmmh, that's weird. The only 3rd party script on that page is Plausible Analytics, and blocking that doesn't affect the functionality on the page. It is loading one (first party) JS file, maybe your uBlock configuration is somehow blocking that? I'm also using uBlock with the default configuration, and it works on the 2 machines that I tested with.
Yeah, you can click it, but only if you already figured out how it works - move the fake mouse cursor to the point where it is almost over the button, blindly move it down a bit and click.
Found a fun Firefox issue where after putting FF in the background I tried to command-click that button to trigger it. My mouse cursor disappeared across the entire OS even though Firefox wasn't the active application! Had to bring Firefox back to the front to see my cursor again.
I had just picked up Delphi and being the nerd I was, I wanted to make use of it anywhere I could. At the time, the Windows API was essentially completely open to mess with, and I had discovered a bunch of weird things, like the fact that setting (!) the mouse cursor position was even possible, and I knew the CD ROM drive could be opened with code as well.
I packed those things into a quick Delphi program, removed its main window (so like a daemon essentially) and then deployed it on our school computers (everything was open, I just put it into the Startup folder if I remember correctly).
Well, I had the daemon deployed on most computers eventually and it had a timer that looked up a file on the shared network drive, and depending on what was in that file, it would do something, or stay quiet in the background.
Since our IT classes were mostly just "doing stuff in Microsoft Word" (good old times), I couldn't hold off for too long and just added the magical "shakymouse" to the text file, a minute or two later, you would see everyone's mouse cursor start to wobble. It became next to impossible to hit a button or anything really, and I just had the time of my life as the teacher scrambled around to figure out what in the hell was going on.
I then changed the text file to "cd" and everyone's CD drive opened (one after the other as they all slowly picked up the command). It was SO AMAZING (just the choreography of it all), I literally almost shit my pants out of excitement.
Problem was, there was only one person in the entire school they felt was capable of such nonsense, so they had me at the principal's office an hour later. They made a big show out of it, and told me to go home as they'll come up with a punishment and they'll also need to talk to my parents.
I thought I was in massive trouble, didn't sleep at all that night. Next morning, I'm back at school, principal wants to see me, tells me I am free from having to attend the IT classes, as I clearly don't need them, and this reduces the chance of me getting bored. So it worked out quite nicely after all. Lesson learned... CRIME PAYS!!!