A side-channel vulnerability existed in the implement of the CSS3 feature called “mix-blend-mode.” It allowed an attacker to de-anonymize a Facebook user running Google Chrome or Mozilla Firefox by making them visit a specially crafted website.
The flaw, now fixed, was discovered last year by the researcher duo Dario Weißer and Ruslan Habalov, and separately by another researcher named Max May.
The proof-of-concept created by the researchers enabled them to harvest data like the profile picture, username, and ‘like’ status of unsuspecting visitors, the researchers said in their blog post. All of this could be done in the background when a user visits a malicious site.
The visual data leak could happen on websites using iFrames that link to Facebook in the form of social plugins and login buttons. Because of a security feature called same origin policy, websites can’t access the content of iframes directly. The researchers can extract information by creating an overlay on the cross-origin iFrame to interact with the underlying pixels.
While the flaw has been patched for good, the researchers warn that the advanced graphics capabilities added to HTML and CSS could open doors for more attacks like these.
Submitted by: Arnfried Walbrecht