Security News CSS Is So Overpowered It Can Deanonymize Facebook Users (two demos inside)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/
Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.

Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.

The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.


Vulnerability resides in browsers, not websites

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.

The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to the way they interact.

As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.

The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).
Click to expand...

Two very impressive demos are available

In two demos Habalov published online (here and here), he was able to retrieve a user's Facebook name, a low-res version of his avatar, and the sites he liked.

The actual attack takes about 20 seconds to leak the username, 500 milliseconds to check the status of any liked/not-liked page, and around 20 minutes to retrieve a Facebook user's avatar.
Click to expand...
 
  • Like
Reactions: Deletedmessiah, vtqhtr413, In2an3_PpG and 1 other person
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
It's important to be up to date.

"The two reported the bug to Google and Mozilla engineers, who fixed the issue in Chrome 63 and Firefox 60."
 
  • Like
Reactions: LASER_oneXM
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Facebook has started to encrypt links to counter privacy-improving URL Stripping
Replies
3
Views
807
News Archive
Sorrento
Sorrento
Ink
    • Like
    • +Reputation
    • Thanks
Google is persistently pushing Enhanced Safe Browsing to users; and Should You Enable It?
Replies
10
Views
2,106
News Archive
Sandbox Breaker
Sandbox Breaker
CyberTech
    • Like
Technology Google Chrome claims it saved users over 10000 hours including on Windows 11
Replies
2
Views
452
Technology News
Moonhorse
Moonhorse

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top