Security News Chrome, Firefox iframe exploit can steal personal Facebook profile and data (No interaction required)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A side-channel attack on CSS could expose your personal data to malicious websites, unless you update your browser immediately.

A pair of independent security researchers has revealed a serious flaw in cascading style sheets (CSSes) that could leave private user data exposed to malicious websites.

The exploit allows a malicious website to steal Facebook profile pictures, the name associated with a profile, and a full list of pages the user has liked, all without requiring any interaction from the victim.
A malicious site would only need to have a cross-site login iframe that pulls data from Facebook and uses mix-blend-mode, a graphical option added to CSS3 in 2016. From there it takes mere seconds to to steal user likes and a profile name. It only takes a few additional minutes for the malicious site to reconstruct the profile picture using layers of one-pixel DIV layers.

It doesn't just affect Facebook users either—any website that allows iframes to pull data is susceptible to the attack.

The researchers, Ruslan Habalov and Dario Weißer, say that they aren't surprised that CSS can be exploited to steal personal data. "[With the introduction of] HTML5 and CSS3 the attack surface of browsers grew accordingly," they said. "Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top