Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday June 04 2018, @07:34PM   Printer-friendly
from the when-more-is-not-better dept.

Submitted via IRC for SoyCow3941

Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.

Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.

The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.

The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to[sic] the way they interact. As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.

The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).

Source: https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Bot on Monday June 04 2018, @10:29PM (2 children)

    by Bot (3902) on Monday June 04 2018, @10:29PM (#688617) Journal

    > Sure, let the browser make decisions under unspecified conditions, but the content-creator should be able to define exact specifications when certain criteria are met.

    OK but, in context, we are talking of people who in 2016 thought blending arbitrary html elements was a good idea.

    > If your content doesn't require layout specification, then your content is probably useless to the world.
    By that standard, the WWW would have not been born, nor USENET, nor gopher. And if USENET had 1% of the effort devoted to develop WWW, and no political pressure against it, we would be posting on alt.science.news.soylent right now.

    --
    Account abandoned.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday June 04 2018, @11:25PM

    by Anonymous Coward on Monday June 04 2018, @11:25PM (#688637)

    ...if USENET had 1% of the effort devoted to develop WWW, and no political pressure against it, we would be posting on alt.science.news.soylent right now.

    Aaaaand LOVING IT! [/agent86]

  • (Score: 2) by jasassin on Tuesday June 05 2018, @10:26PM

    by jasassin (3566) <jasassin@gmail.com> on Tuesday June 05 2018, @10:26PM (#689056) Homepage Journal

    And if USENET had 1% of the effort devoted to develop WWW, and no political pressure against it, we would be posting on alt.science.news.soylent right now.

    The first rule of USENET is that you don't talk about USENET. :(

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A