An exploit would allow an attacker to pick up the profile picture, username and the “likes” of unsuspecting visitors who find themselves landing on a malicious website – with no additional user interaction.
The vulnerability (CVE-2017-15417) lies in certain browser implementations of the “mix-blend-mode” feature of Cascading Style Sheets 3 (CSS3), one of the core technologies for building web pages. Mix-blend-mode allows web designers to select how website content blends with background elements; the flaw within it allows visual content to leak from cross-origin IFrames.
In an analysis, Google security engineer Ruslan Habalov and white-hat Dario Weißer said that for an exploit to work, the victim must be logged into Facebook. The visual data leak/attack could then be carried out when the user visits websites using IFrames containing social plugins and “log in with Facebook” buttons, which the researchers refer to as “endpoints.”
A weaponized website can’t access the content of IFrames directly, but attackers can determine a cross-origin IFrame’s content embedded in a page by simply overlaying the target with a stack of <div> elements that have mix-blend-mode enabled.
Web designers use <div> elements <div> to group together HTML elements on a page, applying CSS styles to many elements at once. The overlay interacts with the underlying pixels, allowing an exploit to infer what the content is visually by measuring the time it takes to render an individual pixel: That time varies by color. By analyzing the different rendering times for each pixel, it’s possible to determine the color of that pixel to reconstruct a visual representation of the targeted content.
“The rendering of this stack can…take a variable amount of time depending on the underlying pixel color inside the IFrame,” Habalov explained in the post. “By moving this <div> ‘scan’ stack across the IFrame, forcing re-renderings and measuring the individual rendering times, it is possible to [lift the content out of the targeted IFrame].”
In the case of Facebook, the researchers constructed a proof-of-concept HTML file containing a payload for the discovered bug.
“Opening this file is enough to load different Facebook endpoints inside IFrames and to start exploitation, which can be fully camouflaged,” Habalov said. To the latter point, the PoC attack toggles an animated cat overlay which obscures the leakage.
The PoC attack, which Habalov said is “inefficient,” took about 20 seconds to reveal a user name, five minutes to leak a fuzzy version of a profile picture, and 500 milliseconds to check the like status for any given site.
The attack also works to display the profile pictures of the victim’s friends who have liked the same page as the victim did; and for leaking the user’s like status of arbitrary pages.
The two only demonstrated the attack potential against Facebook, but Habalov said that “throughout the web there are tons of other sensitive resources which could be affected by attacks like this in a similar fashion.”
He added, “Side-channel vulnerabilities are very sneaky and sometimes hard to patch as was seen with the quite recent and ongoing Meltdown/Spectre discoveries. Similarly, it is no surprise that an ever-growing browser feature landscape and more demanding performance for all these features contributes even more to this core problematic in its own way. Particularly, mix-blend-mode is only the tip of the iceberg when it comes to the gigantic rendering feature amount CSS3 and webkit have already introduced.”
Google and Mozilla have both issued patches for the flaw.