Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Privacy

CSS Is Now So Overpowered It Can Deanonymize Facebook Users (bleepingcomputer.com) 92

An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.

This discussion has been archived. No new comments can be posted.

CSS Is Now So Overpowered It Can Deanonymize Facebook Users

Comments Filter:
  • by Anonymous Coward

    Umm Facebook is soo overpowered that they have soo much information COUPLED with poor coding that permits leaking this infomation...

    • The information leak has nothing to do with Facebook specifically. It works by "scanning" the contents of an iframe, which you should work with any other website just as well.
  • by Anonymous Coward

    What's the big deal? CSS isn't the problem, browser's shoddy implementations is/was.

  • by 93 Escort Wagon ( 326346 ) on Saturday June 02, 2018 @03:51PM (#56717070)

    ”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

    In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

    • by Anonymous Coward

      This is hardly the first time CSS has been used as an attack vector. You used to be able to tell the websites a visitor visited by listing a bunch of links, and then checking if they matched visited link CSS.

    • by Actually, I do RTFA ( 1058596 ) on Saturday June 02, 2018 @04:09PM (#56717128)

      No, this is an exploit of a fundamental issue with CSS. By breaking with the standards, Chrome and FireFox are avoiding the issue.

      It's similar to how no browser fully implements the JS spec. Because it has some (very edge case) stupid behavior. But that's okay, because the unimplemented parts will never come up anyhow.

    • ”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

      In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

      'This attack works in Chrome and Firefox, but has been fixed in recent versions' really means 'this attack no longer works in Chrome or Firefox'. But to sell clicks you need to FUD it up as much as you can.

      • So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?

        • So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?

          Cool story...

  • and if I don't use Facebook?

    oh it's fixed too?

    clickbait!

  • No more adding features to HTML5/CSS/JS. They are only being used for things like tracking, spying, malware and crypto mining.
    • No more adding features to HTML5/CSS[3]> /JS

      You mean, let's go back to HTML4/CSS2/[No JS, because why]. If people want GoogleDocs let it be a fucking native plugin.

      • If people want GoogleDocs let it be a fucking native plugin.

        Oh yes... because having Flash everywhere worked so well for us all.

        • because having Flash everywhere worked so well for us all.

          Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.

          I will give you that Flash pushed people towards XML and JS pushed people towards JSON.

          • by tlhIngan ( 30335 )

            Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.

            It may be technically better, but the implementation was clearly worse.

            Because there were constant security issues, basically weekly. Update, update and update, and Adobe was completely inept at it, because even "installing fresh" still installed old vulnerable versions.

            • Adobe has no incentive to fix Flash player issues, since it was something it had to give away

              Flash Player was given away. Flash (the developer software) was highly profitable software. Econ 102 says you give away things that make more people buy your highly profitable goods.

              d say things are better off now, simply because we're not relying on a single company to update their plugin.

              Adobe opened up Flash Player precisely because they didn't make money off it/didn't want to maintain it. IIRC, there was even

  • by Anonymous Coward

    This attack works in Chrome and Firefox, but has been fixed in recent versions.

    So then it _can't_ be used to deanonymize Facebook users.

    Why is this a problem then?

  • this is moronic. if Facebook is leaking private data to the client browser, this is NOT a CSS problem. what an insipid and misleading headline.

  • And don't use Facebook.

    Every day I clear my data. Everything is wiped clean and I start fresh. Yes, advertisers could deduce about me with each daily trek through the Net wilderness, but I also have uMatrix which blocks other forms of advertising and intrusive behavior so they have to work for it.

    Regardless, since I don't see whatever it is they're peddling, it's no big deal. It costs them money so I'm happy.

  • So why is this story blue?

    • CSS powerfulness.
    • by mentil ( 1748130 )

      Probably related to it being posted by 'FirehoseFavorites' which I presume is a bot that autoposts highly-rated Firehose entries if the editors don't post (or queue) anything for long enough. Although this was followed by 2 queued stories so who knows.

    • “Firehose Favorites” are blue. This is only the second or third one I’ve seen since Whipslash talked about it quite a while ago.

      • Yes just live testing a feature that 93 Escort Wagon remembers from a while back. Autoposting extremely popular firehose items to the front page. Won't happen unless it's extremely popular.
  • Just delete your account already and flush its cookies.

    I know it doesn't really delete any as Zuck is confirmed liar, but at least don't give him any excuse to have your data.

    Hopefully the EU GDRP is the first step to wipe this obscenity off the face of the earth.

  • You think this is bad, try a password keylogger implemented purely as CSS (no javascript):

    https://css-tricks.com/css-key... [css-tricks.com]

    The real vulnerability in both this and the article example is allowing 3rd party code injection. If you can't trust the source of the code, the language being used doesn't really matter. There will be ways to abuse it.

  • Are browsers like Opera and Edge still vulnerable then? I can't seem to find anything on that.
  • Rendering blur effects on fonts and measuring the time to render to guess letters, checking for expected remote case to expose surfing history ... The stuff web hackers can do is pretty amazing. If you're in web development and are looking for a reason to switch to sheep farming just visit a web hacker conference. You'll come home crying.

  • by epine ( 68316 ) on Sunday June 03, 2018 @10:51AM (#56720322)

    I've commented to a mathematical friend more than once that computer science is mathematics, plus the assumption that time exists. (This also explains why I'm LISP-boner impotent. LISP is computer science, ++delay, minus the assumption that time exists; the user sees time, while the programmer doesn't—what's not to like?—but I still don't get the happy hardness.)

    Moral of the story: fear the clock.

    Do not fear napkin Turing-complete, CSS Turing-complete, nor LISP Turing-complete. (Turing-complete happens by accident at least once out of every nine innings of billiard-table HO-gauge NAND-gate pick-up-sticks.)

    Perhaps what we need is a degraded system timer.

    Ideally, the local mean would wander somewhat slowly on a fractalish time scale, only minimally convex around the extremes so as to stay within a +/- 30 second deviance specification for 99.8% of all samples. Ideally, the estimate of the mean would converge considerably more slowly than sqrt(N). But I don't know my thick-tailed distributions well enough to say what that would look like as an actual thing. You also don't want the difference between step changes to be small, on average; and you don't want the locations of the step changes to occur on precise, minute boundaries, either (duh!) In fact, I think sloppy-clock would return an ascending integer sequence, but the wall-time duration of each distinct integer interval (of minute-ish duration) would be unpredictable, as described.

    My math is feeble enough that I can't even prove that my sloppy-clock as roughly stipulated even exists in practice, but let's assume it does.

    Then you need to implement a security ring where the best clock available is sloppy-clock—and stuff all foreign scripts in there. Yes, plugging time leaks from the outside world in a sophisticated API is hard. True mathematicians need not apply (i.e. LISP won't help you in this endeavour, not even a little bit).

    By avoiding capacitors (condensors) von Neumann's IAS computer could be frozen and single-stepped, or run at any frequency you desired, until the internal bit signals themselves became unstable. (Some of these early designs were actually asynchronous and self-timed.) Effectively uncoupled from the real world, such a machine has no ability to introspect the duration of its own operations—unless you screw up, and give it an actual wall clock or cycle-clock or global operation-count API (the second case is only possible with synchronous designs).

    Uncoupled computing (Internet 404) is not popular under the modern CSS paradigm, so you do probably have to at least make a concession for sloppy-clock (which dingbat users can upgrade to precise-clock if it bothers them that their ESPN scoreboard page refreshes aren't entirely concurrent with the real world; it would also suck for implementing chess clocks; but not, strangely, for anticipating when a soccer game will officially end).

    Anyways, this whole proposal is a massive research project.

    I'm merely pointing out that computer science is merely mathematics—right up until time begins.

    Von Neumann's early IAS computer didn't even have (internal) time. (That's because they had more than enough problems to deal with, already, without scoring an own goal.) Interestingly, Turing specified hardware random number generation from the get go, on purely formal reasoning about the space of available computation. Turns out, precisely measurable operational elapsed-time is ultimately more insidious (under promiscuous interconnection) than nondeterminacy. (A promiscuous web page being any web page bearing more than one cookie, or related code artifact.)

    Maybe time does not fly like an arrow as described in its early scouting reports—but it certainly does leak (across code-execution trust domains) like a bat out of hell.

    • by epine ( 68316 )

      My "own goal" comment was actually a bit of a joke (ha! made you think) because elsewhere I state that time oracles were far less of a hazard back in the day of Internet 404.

      But you could already have your programming team for the hydrogen bomb's neutron Monte Carlo simulation partitioning into less classified programmers who write the I/O portion (generally punched cards on stdin and stdout, in some cases every card representing a separate neutron) from the highly classified mathematicians coding the actua

  • THIS IS FACEBOOK!!!
  • [TFA] security researcher has abused them

    Hey wait. This is a tech site.
    How about leveraged them, or even used them?

    Imagine non-tech readers. It's a gimmick to trigger one of those "there oughta be a law" responses. THIS is how we get laws against the sale and possession of radio scanners that can tune in unprotected police communications. And instead of forcing police to upgrade their equipment, they get a bonus opportunity during traffic stops to pretend that their K9s 'signalled' the presence of an illegal scanner. Which in turn, encourages

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...