A malicious site would only need to have a cross-site login iframe that pulls data from Facebook and uses
mix-blend-mode, a graphical option added to CSS3 in 2016. From there it takes mere seconds to to steal user likes and a profile name. It only takes a few additional minutes for the malicious site to reconstruct the profile picture using layers of one-pixel
DIV layers.
It doesn't just affect Facebook users either—any website that allows iframes to pull data is susceptible to the attack.
The researchers, Ruslan Habalov and Dario Weißer, say that they aren't surprised that CSS can be exploited to steal personal data. "[With the introduction of] HTML5 and CSS3 the attack surface of browsers grew accordingly," they said. "Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users."