Chrome, Firefox CSS3 flaw may have let attackers grab Facebook user data

Researchers reveal a tricky technique that uses a CSS3 feature to let attackers recover Facebook user data.
Written by Liam Tung, Contributing Writer

Chrome and Firefox recently received patches for a bug that allowed attackers to reveal Facebook usernames, profile pictures and Likes when users visited an attack site.

The bug is caused by the way Chrome and Firefox implemented a feature of Cascading Style Sheets (CSS) called 'mix-blend-mode', introduced to the CSS3 standard in 2016.

The CSS3 feature in browsers had a side-channel vulnerability that leaked visual content, such as Facebook profiles images, from cross-origin iframes.

Ruslan Habalov, a security researcher at Google, explained in a blog on Thursday that an attacker could set up a malicious website that exploits the browser bug to de-anonymize Facebook users simply by having them visit the site while logged into Facebook.

Habalov, who discovered the bug with security researcher Dario Weißer, notes that their demonstration focused on Facebook, but the flaw affects many other sites with 'endpoints' such as the Facebook Login button that can be embedded in an iframe.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

Weißer explained how the attack worked to Ars Technica. The attack uses an iframe that links to these Facebook endpoints and then uses the mix-blend-mode feature to infer visual content from the targeted iframe while rendering its elements.

"We cannot access the iframe's content directly. However, we can put overlays over the iframe that do some kind of graphical interaction with the underlying pixels," Weißer said.

"Since these overlays are controlled by the attacker's site, it is possible to measure how long these graphical interactions take."

Weißer added that some of the mix-blend-modes require a variable amount of time based on the color of the underlying pixel.

"If the color of the tested pixel has color X, the rendering process can take longer than for color Y. The leak allows [us to] determine the color of individual pixels. We don't leak the HTML, but the visual contents of the targeted iframe."

Google actually rolled out a fix in Chrome 63 late last year, while Mozilla patched it in Firefox 60 two weeks ago. Meanwhile Internet Explorer and Microsoft Edge were not vulnerable because they didn't support mix-blend-mode. Safari, for some unknown reason, was also not affected.

The researchers reported the issue to Facebook, too. However, the social network determined that it was impossible to patch because it would have required removing all its endpoints.


Researchers demonstrate leaking the Facebook username, left, and profile picture, right, out of an embedded Facebook Iframe.

Image: Ruslan Habalov

Previous and related coverage

Chrome 67 is out: Password-free logins get closer, plus bug fixes, better AR-VR support

Google's Chrome 67 has new APIs for augmented reality and virtual reality, as well as support for WebAuthn spec.

Google Chrome can now spot even brand new phishing pages

Google has rolled out two new tools to combat phishing, and upped Gmail security.

Google: Chrome is backing away from public key pinning, and here's why

Google wrote the HTTP public key pinning standard but now considers the web security measure harmful.

Editorial standards