CSS Is Now So Overpowered It Can Deanonymize Facebook Users

An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.

Only last sentence is relevant

[93+Escort+Wagon]

”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

Re:Only last sentence is relevant

[Actually,+I+do+RTFA]

No, this is an exploit of a fundamental issue with CSS. By breaking with the standards, Chrome and FireFox are avoiding the issue.

It's similar to how no browser fully implements the JS spec. Because it has some (very edge case) stupid behavior. But that's okay, because the unimplemented parts will never come up anyhow.

uMatrix

Get it now. Block all CSS across the board.

Re:uMatrix

[grub]

I use uMatrix and the "CSS Exfil Protection" add-on for Firefox. There are some sites I use that need CSS to be even remotely useable. Check it out, it has a test page.