111 stories
·
1 follower

CSS Is So Overpowered It Can Deanonymize Facebook Users

1 Comment

CSS mix-blend-mode attack

Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.

Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.

The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

Vulnerability resides in browsers, not websites

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.

The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to the way they interact.

As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.

The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).

Researchers uses a DIV stack to reconstruct iframe content

In research published today, Ruslan Habalov, a security engineer at Google in Switzerland, together with security researcher Dario Weißer, have revealed how an attacker could abuse CSS3 mix-blend-mode to leak information from other sites.

The technique relies on luring users to a malicious site where the attacker embeds iframes to other sites. In his example, Habalov embedded iframes for one of Facebook's social widgets, but other sites are also susceptible to this issue.

The attack consists of overlaying a huge stack of DIV layers with different blend modes on top of the iframe. These layers are all 1x1 pixel-sized, meaning they cover just one pixel of the iframe.

Habalov says that depending on the time needed to render the entire stack of DIVs, an attacker can determine the color of that pixel shown on the user's screen.

The researcher says that by gradually moving this DIV "scan" stack across the iframe, "it is possible to determine the iframe’s content."

Normally, an attacker wouldn't be able to access the data of these iframes due to anti-clickjacking and other security measures implemented in browsers and in the remote sites that allow their content to be embedded via iframes.

Two very impressive demos are available

In two demos Habalov published online (here and here), he was able to retrieve a user's Facebook name, a low-res version of his avatar, and the sites he liked.

The actual attack takes about 20 seconds to leak the username, 500 milliseconds to check the status of any liked/not-liked page, and around 20 minutes to retrieve a Facebook user's avatar.

The attack is easy to disguise because the iframe can easily be moved offscreen, or hidden under another element (see demo gif below, hiding the attack under a cat photo). Furthermore, keeping a user on a site for minutes is also possible by keeping him busy with an online test or a longer article.

CSS attack on Facebook

Fixes available for Chrome and Firefox

Habalov reported the bug to Google and Mozilla engineers, who fixed the issue in Chrome 63 and Firefox 60.

"The bug was addressed by vectorizing the blend mode computations," Habalov said. Safari's implementation of CSS3 mix-blend-mode was not affected as the blend mode operations were already vectorized.

Besides Habalov, another researcher named Max May independently discovered and reported this issue to Google in March 2017.

Let's block ads! (Why?)

Read the whole story
Lythimus
22 days ago
reply
It didn't seem to work in Brave, but it's just based on the Chromium engine, so I'm not sure why it would fail unless my settings somehow prevent the loading of the iframe?
Share this story
Delete

GDPR

4 Comments and 16 Shares
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.
Read the whole story
Lythimus
28 days ago
reply
another God Damn Privacy Report.
Share this story
Delete
3 public comments
satadru
26 days ago
reply
Also, for GDPR purposes, I live in France now.
New York, NY
alt_text_at_your_service
28 days ago
reply
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.
zippy72
22 days ago
But Sycorax Rock!
alt_text_bot
28 days ago
reply
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.

Saturday Morning Breakfast Cereal - Extinction

1 Comment and 6 Shares


Click here to go see the bonus panel!

Hovertext:
One good way to use semicolons is to not.

New comic!
Today's News:
Read the whole story
Lythimus
111 days ago
reply
I try to only use semicolons when it's my inclination to have a run on sentence to complete a thought. Even though they look formal, they're good for making print read like spoken language. But I'm no expert.

Tell me, what's the male's opinion on overuse of emdashes, or putting spaces around emdashes, or using a single, spaced, endash an an emdash?
Share this story
Delete

2018 CVE List

4 Comments and 16 Shares
CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
Read the whole story
Lythimus
123 days ago
reply
alt_text_bot got scooped.
Share this story
Delete
3 public comments
chrisamico
123 days ago
reply
TFW people you know show up in XKCD.
Boston, MA
reconbot
123 days ago
You know Bruce Schneier?
GreenChange
123 days ago
Nah, he knows the guy who writes comments on public-facing web pages.
chrisamico
123 days ago
Schneier and my wife were Berkman fellows together. Doubt he'd remember me.
Fidtz
122 days ago
https://www.schneier.com/blog/ one of the best blogs over the years
ice0032
121 days ago
hey I found this name on the ground. think you dropped it
alt_text_at_your_service
123 days ago
reply
CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
alt_text_bot
124 days ago
reply
CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.

Saturday Morning Breakfast Cereal - Infrugality

1 Comment and 4 Shares


Click here to go see the bonus panel!

Hovertext:
Before we had kids, people told me I'd stop enjoying jokes about torturing children. WELL LOOK AT ME NOW, BABY.

New comic!
Today's News:

Londonoids! Submit your proposal to be part of BAHFest!

Read the whole story
Lythimus
155 days ago
reply
It's been 10F outside for days and the water bottles in my attic didn't freeze. I wasn't concerned; clearly my dad didn't raise me right.
Share this story
Delete

Saturday Morning Breakfast Cereal - Language

5 Comments and 10 Shares


Click here to go see the bonus panel!

Hovertext:
It gets really bad when they start using loops instead of actively engaging in conversation.

New comic!
Today's News:

3 weeks left to submit your proposal for BAHFest MIT or BAHFest London!

Read the whole story
Lythimus
171 days ago
reply
Replace all the s's with th's and that's accurate.
Share this story
Delete
4 public comments
urbanraccoon
163 days ago
reply
So is it like math where you read all the nested words first then work your way out?
mburch42
170 days ago
reply
I have been accused (by some) of using (entirely) too many parentheses in conversation (both written (email) and spoken).
toddgrotenhuis
170 days ago
reply
Accurate
Indianapolis
kbrint
171 days ago
reply
"Daddy, where did Lisp come from?"
Next Page of Stories