Chrome, Firefox, browser iframe exploit can steal Facebook profile info and other personal data

A side-channel attack on CSS could expose your personal data to malicious websites, unless you update your browser immediately.

The bad guys have been working on social engineering end users with fake ‘Critical updates’ for all major web browsers.

Last month, our friend Chris Boyd over at ThreatTrack Security discovered this new trend while it was still in its infancy (i.e. really terrible looking templates).

Well, it seems like the machine is well-oiled now as more and more domains are popping up with those shiny (and ripped off) designs:

A pair of independent security researchers has revealed a serious flaw in cascading style sheets (CSSes) that could leave private user data exposed to malicious websites.

The exploit allows a malicious website to steal Facebook profile pictures, the name associated with a profile, and a full list of pages the user has liked, all without requiring any interaction from the victim.

A malicious site would only need to have a cross-site login iframe that pulls data from Facebook and uses mix-blend-mode, a graphical option added to CSS3 in 2016. From there it takes mere seconds to to steal user likes and a profile name. It only takes a few additional minutes for the malicious site to reconstruct the profile picture using layers of one-pixel DIV layers.

It doesn't just affect Facebook users either—any website that allows iframes to pull data is susceptible to the attack.

The researchers, Ruslan Habalov and Dario Weißer, say that they aren't surprised that CSS can be exploited to steal personal data. "[With the introduction of] HTML5 and CSS3 the attack surface of browsers grew accordingly," they said. "Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users."