Submitted via IRC for SoyCow3941
Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.
Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.
The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.
The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.
The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to[sic] the way they interact. As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.
The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).
(Score: 0) by Anonymous Coward on Monday June 04 2018, @08:07PM (2 children)
looks more like yet another IFRAME abuse.
(Score: 0) by Anonymous Coward on Monday June 04 2018, @09:16PM
It could also be thought of as an implementation issue, or a side-channel attack, or combination thereof. Even if you allow layering iframes on top of each other and blend them for display, you now have information about the underlay frames leaking into the overlay or main page, allowing the site to read or infer state information about the site it should not normally have access to if rules from XSS and the likes also applied to rendering.
Wasn't there a similar CSS abuse attack recently involving hyperlinks and how they're rendered, to allow one site to infer browser history state of other sites? Mix-blend-mode seems to be equally not fully well thought through.
(Score: 2) by The Mighty Buzzard on Monday June 04 2018, @11:16PM
Sounds like yet another good reason to never allow iframes in your primary browser and to use another browser entirely for garbage that can't run without all kinds of bells and whistles.
My rights don't end where your fear begins.