Researchers have discovered a weakness in the way Chrome and Firefox interact with Cascading Style Sheets 3 (CSS3) that could have caused them to leak usernames, profile pictures and likes from sites such as Facebook.
The chance discovery was made by researcher Ruslan Habalov when he visited Pinterest and noticed it was “displaying my Facebook name and picture inside an iFramed Facebook button.”
Probing deeper, they discovered that the problem was CSS3’s mix-blend-modes, introduced in 2016 and fully supported by Chrome desktop/mobile version 49 from March 2016 onwards, and Firefox desktop/mobile version 59 in March this year.
By rights, browser same-origin policy security should have disallowed access to cross-origin iframe content. However, the proof-of-concept (PoC) they developed to exploit the weakness in – mix-blend-modes – shorted this.
Mix-blend-modes don’t sound like a promising target through which to leak data, but, as fellow researcher Dario Weißer explained:
We cannot access the iframe’s content directly. However, we can put overlays over the iframe that do some kind of graphical interaction with the underlying pixels. Since these overlays are controlled by the attacker’s site, it is possible to measure how long these graphical interactions take.
This is extremely involved – the mix-blend-mode is being used to infer the content of 1×1 pixels in the iFrame to reveal the presence and colour of that pixel on the user’s screen. Do this for the whole iFrame and (as long as the user is logged in of course) it becomes possible to reconstruct some of its content.
That does make inferring different types of content potentially time consuming, with a user name becoming clear in around 20 seconds but five minutes being needed to generate that user’s much larger profile picture.
The outcome of an attacker exploiting this using a malicious website would have been to deanonymize logged-in visitors not just on Facebook but on any site embedding itself on third parties, on the condition that users can be kept on the site for long enough.
Other use cases include leaking private images, API responses and text files of other sites as these often require to be logged-in but don’t come with an enabled iframe protection.
The researchers describe the bug as a side-channel weakness. All this means is that they found a way to capture data not from a software flaw but as a side effect of a system working as it was designed to.
Designated CVE-2017-15417, the issue was fixed last December in Chrome version 63, and only a few weeks back in Firefox Quantum version 60, hence its disclosure. Internet Explorer, Edge and Apple’s Safari browsers are not affected.
Oddly, the bug was disclosed to Google’s Chrome open source team in 2017, after which it was temporarily made public by accident, without anyone (we hope) noticing.
It’s an unusual flaw but one to keep an eye on:
We have only demonstrated the attack potential against Facebook. However, throughout the web there are tons of other sensitive resources which could be affected by attacks like this in a similar fashion. Unfortunately, we anticipate more and more of such vulnerabilities to be discovered over the years to come.