CSS Is Now So Overpowered It Can Deanonymize Facebook Users

An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.

Only last sentence is relevant

[93+Escort+Wagon]

”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

Re:Only last sentence is relevant

[Actually,+I+do+RTFA]

No, this is an exploit of a fundamental issue with CSS. By breaking with the standards, Chrome and FireFox are avoiding the issue.

It's similar to how no browser fully implements the JS spec. Because it has some (very edge case) stupid behavior. But that's okay, because the unimplemented parts will never come up anyhow.

Re:We need to freeze the Web Specifications.

[Actually,+I+do+RTFA]

No more adding features to HTML5/CSS[3]> /JS

You mean, let's go back to HTML4/CSS2/[No JS, because why]. If people want GoogleDocs let it be a fucking native plugin.

Re:Crying wolf

[HarrySquatter]

Because lots of people run old versions of software?

Re:uMatrix

[grub]

I use uMatrix and the "CSS Exfil Protection" add-on for Firefox. There are some sites I use that need CSS to be even remotely useable. Check it out, it has a test page.

Re:We need to freeze the Web Specifications.

[tlhIngan]

Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.

It may be technically better, but the implementation was clearly worse.

Because there were constant security issues, basically weekly. Update, update and update, and Adobe was completely inept at it, because even "installing fresh" still installed old vulnerable versions. Eventually, they gave up simply due to cost reasons.

And super tracking used flash extensively - the "super cookie" exploit where a website could set an non-removable cookie used flash. You could delete every cookie on your system but miss one and they would re-appear. And the way to manage Flash cookies was extremely lame. There was no need to do super tracking because flash ensured your cookies stayed with you. Or better yet, even violating the cookie policies of the browser.

I'd say things are better off now, simply because we're not relying on a single company to update their plugin. Heck, Adobe was genuinely slow enough that 0-days will be up, forcing the security release, and timelines were often at least a week away. for a fix. (And remember, Adobe has no incentive to fix Flash player issues, since it was something it had to give away).

fear the clock

[epine]

I've commented to a mathematical friend more than once that computer science is mathematics, plus the assumption that time exists. (This also explains why I'm LISP-boner impotent. LISP is computer science, ++delay, minus the assumption that time exists; the user sees time, while the programmer doesn't—what's not to like?—but I still don't get the happy hardness.)

Moral of the story: fear the clock.

Do not fear napkin Turing-complete, CSS Turing-complete, nor LISP Turing-complete. (Turing-complete happens by accident at least once out of every nine innings of billiard-table HO-gauge NAND-gate pick-up-sticks.)

Perhaps what we need is a degraded system timer.

Ideally, the local mean would wander somewhat slowly on a fractalish time scale, only minimally convex around the extremes so as to stay within a +/- 30 second deviance specification for 99.8% of all samples. Ideally, the estimate of the mean would converge considerably more slowly than sqrt(N). But I don't know my thick-tailed distributions well enough to say what that would look like as an actual thing. You also don't want the difference between step changes to be small, on average; and you don't want the locations of the step changes to occur on precise, minute boundaries, either (duh!) In fact, I think sloppy-clock would return an ascending integer sequence, but the wall-time duration of each distinct integer interval (of minute-ish duration) would be unpredictable, as described.

My math is feeble enough that I can't even prove that my sloppy-clock as roughly stipulated even exists in practice, but let's assume it does.

Then you need to implement a security ring where the best clock available is sloppy-clock—and stuff all foreign scripts in there. Yes, plugging time leaks from the outside world in a sophisticated API is hard. True mathematicians need not apply (i.e. LISP won't help you in this endeavour, not even a little bit).

By avoiding capacitors (condensors) von Neumann's IAS computer could be frozen and single-stepped, or run at any frequency you desired, until the internal bit signals themselves became unstable. (Some of these early designs were actually asynchronous and self-timed.) Effectively uncoupled from the real world, such a machine has no ability to introspect the duration of its own operations—unless you screw up, and give it an actual wall clock or cycle-clock or global operation-count API (the second case is only possible with synchronous designs).

Uncoupled computing (Internet 404) is not popular under the modern CSS paradigm, so you do probably have to at least make a concession for sloppy-clock (which dingbat users can upgrade to precise-clock if it bothers them that their ESPN scoreboard page refreshes aren't entirely concurrent with the real world; it would also suck for implementing chess clocks; but not, strangely, for anticipating when a soccer game will officially end).

Anyways, this whole proposal is a massive research project.

I'm merely pointing out that computer science is merely mathematics—right up until time begins.

Von Neumann's early IAS computer didn't even have (internal) time. (That's because they had more than enough problems to deal with, already, without scoring an own goal.) Interestingly, Turing specified hardware random number generation from the get go, on purely formal reasoning about the space of available computation. Turns out, precisely measurable operational elapsed-time is ultimately more insidious (under promiscuous interconnection) than nondeterminacy. (A promiscuous web page being any web page bearing more than one cookie, or related code artifact.)

Maybe time does not fly like an arrow as described in its early scouting reports—but it certainly does leak (across code-execution trust domains) like a bat out of hell.