CSS Is Now So Overpowered It Can Deanonymize Facebook Users (bleepingcomputer.com) 92
An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.
The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.
The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.
umm no (Score:1)
Umm Facebook is soo overpowered that they have soo much information COUPLED with poor coding that permits leaking this infomation...
Re: (Score:1)
If it was already fixed... (Score:1)
What's the big deal? CSS isn't the problem, browser's shoddy implementations is/was.
Only last sentence is relevant (Score:5, Informative)
”This attack works in Chrome and Firefox, but has been fixed in recent versions.”
In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.
Re: (Score:1)
This is hardly the first time CSS has been used as an attack vector. You used to be able to tell the websites a visitor visited by listing a bunch of links, and then checking if they matched visited link CSS.
Re: (Score:1)
That one might actually still work...
Re:Only last sentence is relevant (Score:4, Informative)
No, this is an exploit of a fundamental issue with CSS. By breaking with the standards, Chrome and FireFox are avoiding the issue.
It's similar to how no browser fully implements the JS spec. Because it has some (very edge case) stupid behavior. But that's okay, because the unimplemented parts will never come up anyhow.
Re: (Score:2)
On the contrary, timing attacks are a problem in the specification. "Do X as fast as possible" is the default. "Do X in constant time" is an exception. It's a fundamental flaw in the spec.
Ultimately, specifications need to anticipate attacks and include mitigations.
Re: (Score:2)
”This attack works in Chrome and Firefox, but has been fixed in recent versions.”
In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.
'This attack works in Chrome and Firefox, but has been fixed in recent versions' really means 'this attack no longer works in Chrome or Firefox'. But to sell clicks you need to FUD it up as much as you can.
Re: (Score:2)
So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?
Re: (Score:2)
So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?
Cool story...
Re: Lazy Coding not CSS (Score:1)
Congratulations on having no grasp at all of the security implications in the premise of this article.
Re:uMatrix (Score:4, Informative)
Re: (Score:2)
At least apply the same rules that most browsers to in AJAX calls prevent calling a site that is on a different server. Yes it sucks for developers but if you make the serverside passthru you now have some control of the security.
Unfortunately good security doesn’t mean the easiest way to code it
Re: Iframes should just be banned. (Score:2)
Lots of web apps nowadays don't even pass through anything but a static server. Requring third party APIs to pass through a server in many cases undermines the way the web is designed to work.
Re: (Score:2)
The web was designed to be a choose your own adventure book.
Then people wanted better formatting options, and then they want to fill out information with forms, then these forms would like to have a client side to validate data. Then we wanted more advanced formatting options, and be able to change the HTML without refreshing a page.
The Web is now an Application Platform. Because of this, it needs security restrictions to make it work as such.
Re: (Score:1)
Interestingly enough, the W3C did try to remove iframes and frames both from the spec. Pressure from advertisers over this and some other sanity-induced changes caused the industry to split with the W3C though and make their own "HTML5" standard, which the W3C then only later ratified in order to remain relevant.
CSS so overpowerd it changes headline color (Score:1)
and if I don't use Facebook?
oh it's fixed too?
clickbait!
Re: (Score:1)
The headline should read Facebook security is so underpowered that CSS can deanonymize users.
I'm no fan of Facebook, but that's definitely not what the headline should read.
The attack works by using the blend effects to read the pixels rendered within an iframe. It's not reading the DOM of the iframe at all.
Are you suggesting that Facebook and other websites should have come up with a way to make it impossible to read the pixels on a webpage? .... ohhhhh, you're a DRM developer, aren'tcha? :)
We need to freeze the Web Specifications. (Score:2)
Re: (Score:3)
You mean, let's go back to HTML4/CSS2/[No JS, because why]. If people want GoogleDocs let it be a fucking native plugin.
Re: (Score:2)
If people want GoogleDocs let it be a fucking native plugin.
Oh yes... because having Flash everywhere worked so well for us all.
Re: (Score:2)
Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.
I will give you that Flash pushed people towards XML and JS pushed people towards JSON.
Re: (Score:3)
It may be technically better, but the implementation was clearly worse.
Because there were constant security issues, basically weekly. Update, update and update, and Adobe was completely inept at it, because even "installing fresh" still installed old vulnerable versions.
Re: (Score:2)
Flash Player was given away. Flash (the developer software) was highly profitable software. Econ 102 says you give away things that make more people buy your highly profitable goods.
Adobe opened up Flash Player precisely because they didn't make money off it/didn't want to maintain it. IIRC, there was even
Re: (Score:2)
Also, embedding a scripted programming language in a different document format is an abomination.
I agree, it should have been Lisp all the way down.
Re: (Score:2)
CSS and JS are pretty much just patches added on top of HTML because HTML isn't a suitable document format to describe web pages the way page creators want them to be.
HTML, CSS, and JS all do completely different things, if used correctly.
HTML should describe the content of the page. It should be the words spoken by a screen reader, or the information a search engine should index. In essence, it is just the meaningful information, in its most-native structure, and nothing more.
CSS is the presentation of that information. There should be CSS definitions for how that screen reader should pronounce particular words or emphasize particular phrases. There should be CSS defini
Crying wolf (Score:1)
This attack works in Chrome and Firefox, but has been fixed in recent versions.
So then it _can't_ be used to deanonymize Facebook users.
Why is this a problem then?
Re: (Score:3)
Because lots of people run old versions of software?
uh no? (Score:2)
this is moronic. if Facebook is leaking private data to the client browser, this is NOT a CSS problem. what an insipid and misleading headline.
Re: (Score:2)
Would it make a difference? They're leaking it everywhere else.
Re: uh no? (Score:2)
That's only true if you were to lazy to read how the attack actually works.
Good thing I clear my data (Score:2)
And don't use Facebook.
Every day I clear my data. Everything is wiped clean and I start fresh. Yes, advertisers could deduce about me with each daily trek through the Net wilderness, but I also have uMatrix which blocks other forms of advertising and intrusive behavior so they have to work for it.
Regardless, since I don't see whatever it is they're peddling, it's no big deal. It costs them money so I'm happy.
Blue? (Score:2)
So why is this story blue?
Re: (Score:2)
Re: (Score:2)
S-so CSS can be used to color elements of a web page? I never knew.
Re: (Score:2)
Probably related to it being posted by 'FirehoseFavorites' which I presume is a bot that autoposts highly-rated Firehose entries if the editors don't post (or queue) anything for long enough. Although this was followed by 2 queued stories so who knows.
Re: (Score:2)
“Firehose Favorites” are blue. This is only the second or third one I’ve seen since Whipslash talked about it quite a while ago.
Re: (Score:2)
Facebook is the root of all evil. (Score:1)
Just delete your account already and flush its cookies.
I know it doesn't really delete any as Zuck is confirmed liar, but at least don't give him any excuse to have your data.
Hopefully the EU GDRP is the first step to wipe this obscenity off the face of the earth.
Password keylogger via CSS (Score:2)
You think this is bad, try a password keylogger implemented purely as CSS (no javascript):
https://css-tricks.com/css-key... [css-tricks.com]
The real vulnerability in both this and the article example is allowing 3rd party code injection. If you can't trust the source of the code, the language being used doesn't really matter. There will be ways to abuse it.
What about non-Chrome/Firefox? (Score:1)
Attacks like these aren't new (Score:2)
Rendering blur effects on fonts and measuring the time to render to guess letters, checking for expected remote case to expose surfing history ... The stuff web hackers can do is pretty amazing. If you're in web development and are looking for a reason to switch to sheep farming just visit a web hacker conference. You'll come home crying.
fear the clock (Score:3)
I've commented to a mathematical friend more than once that computer science is mathematics, plus the assumption that time exists. (This also explains why I'm LISP-boner impotent. LISP is computer science, ++delay, minus the assumption that time exists; the user sees time, while the programmer doesn't—what's not to like?—but I still don't get the happy hardness.)
Moral of the story: fear the clock.
Do not fear napkin Turing-complete, CSS Turing-complete, nor LISP Turing-complete. (Turing-complete happens by accident at least once out of every nine innings of billiard-table HO-gauge NAND-gate pick-up-sticks.)
Perhaps what we need is a degraded system timer.
Ideally, the local mean would wander somewhat slowly on a fractalish time scale, only minimally convex around the extremes so as to stay within a +/- 30 second deviance specification for 99.8% of all samples. Ideally, the estimate of the mean would converge considerably more slowly than sqrt(N). But I don't know my thick-tailed distributions well enough to say what that would look like as an actual thing. You also don't want the difference between step changes to be small, on average; and you don't want the locations of the step changes to occur on precise, minute boundaries, either (duh!) In fact, I think sloppy-clock would return an ascending integer sequence, but the wall-time duration of each distinct integer interval (of minute-ish duration) would be unpredictable, as described.
My math is feeble enough that I can't even prove that my sloppy-clock as roughly stipulated even exists in practice, but let's assume it does.
Then you need to implement a security ring where the best clock available is sloppy-clock—and stuff all foreign scripts in there. Yes, plugging time leaks from the outside world in a sophisticated API is hard. True mathematicians need not apply (i.e. LISP won't help you in this endeavour, not even a little bit).
By avoiding capacitors (condensors) von Neumann's IAS computer could be frozen and single-stepped, or run at any frequency you desired, until the internal bit signals themselves became unstable. (Some of these early designs were actually asynchronous and self-timed.) Effectively uncoupled from the real world, such a machine has no ability to introspect the duration of its own operations—unless you screw up, and give it an actual wall clock or cycle-clock or global operation-count API (the second case is only possible with synchronous designs).
Uncoupled computing (Internet 404) is not popular under the modern CSS paradigm, so you do probably have to at least make a concession for sloppy-clock (which dingbat users can upgrade to precise-clock if it bothers them that their ESPN scoreboard page refreshes aren't entirely concurrent with the real world; it would also suck for implementing chess clocks; but not, strangely, for anticipating when a soccer game will officially end).
Anyways, this whole proposal is a massive research project.
I'm merely pointing out that computer science is merely mathematics—right up until time begins.
Von Neumann's early IAS computer didn't even have (internal) time. (That's because they had more than enough problems to deal with, already, without scoring an own goal.) Interestingly, Turing specified hardware random number generation from the get go, on purely formal reasoning about the space of available computation. Turns out, precisely measurable operational elapsed-time is ultimately more insidious (under promiscuous interconnection) than nondeterminacy. (A promiscuous web page being any web page bearing more than one cookie, or related code artifact.)
Maybe time does not fly like an arrow as described in its early scouting reports—but it certainly does leak (across code-execution trust domains) like a bat out of hell.
Re: (Score:2)
My "own goal" comment was actually a bit of a joke (ha! made you think) because elsewhere I state that time oracles were far less of a hazard back in the day of Internet 404.
But you could already have your programming team for the hydrogen bomb's neutron Monte Carlo simulation partitioning into less classified programmers who write the I/O portion (generally punched cards on stdin and stdout, in some cases every card representing a separate neutron) from the highly classified mathematicians coding the actua
Re: (Score:2)
This is not an attack... (Score:1)
Words matter. (Score:2)
[TFA] security researcher has abused them
Hey wait. This is a tech site.
How about leveraged them, or even used them?
Imagine non-tech readers. It's a gimmick to trigger one of those "there oughta be a law" responses. THIS is how we get laws against the sale and possession of radio scanners that can tune in unprotected police communications. And instead of forcing police to upgrade their equipment, they get a bonus opportunity during traffic stops to pretend that their K9s 'signalled' the presence of an illegal scanner. Which in turn, encourages