A side-channel vulnerability in Google Chrome and Mozilla Firefox permits drive-by de-anonymization of Facebook clients.
An exploit would allow an attacker to get the profile picture, username and the “preferences” of clueless guests who wind up arriving on a malicious site – with no additional user connection.
The vulnerability (CVE-2017-15417) lies in certain web browser usage of the “mix-blend mode” highlight of Cascading Style Sheets 3 (CSS3), one of the core elements of building site pages. Mix-Blend mode permits website designers to choose how site content mixes with background; the defect inside it enables visual content to leak from cross-origin IFrames.
In an investigation, Google security expert Ruslan Habalov and white-hat Dario Weißer said that for an exploit to work, the victim must be signed into Facebook. The visual information leak could then be done when the client visits sites utilizing IFrames containing social plugins and “sign in with Facebook” catches, which the researchers refer to as “endpoints.”
The attack likewise attempts to show the profile photos of the vicitim’s friends who have liked the same page from the victim did.
They just exhibited the attack potential against Facebook, however Habalov said that “throughout the web there are tons of other sensitive resources which could be affected by attacks like this in a similar fashion.”
Google and Mozilla have both issued patches for this vulnerability.