Ever since the news about the harvesting of user data through Facebook by political data analytics firm Cambridge Analytica broke out, Facebook has been under severe scrutiny by several governments and regulators. It has also earned the reputation for being ignorant about users’ right to privacy.
But as it turns out, two of the most popular web browsers – Google Chrome and Mozilla Firefox – have been spilling out profile pictures and the usernames of Facebook users for over a year now. This has been accomplished by exploiting the new standards for CSS (cascading style sheets) which were implemented in 2016.
The users who fell prey to this exploit were those who visited malicious pages (accidentally or erroneously) which hosted the content from Facebook using iFrames. These sites ape Facebook’s interface so that inattentive users can be easily fooled.
Hackers misused a CSS feature called “mix-blend-mode” to leak graphic content and technical information associated with it. They also used optical character decoders to fetch out names of users and sometimes even statuses posted by them.
After being identified by two independent research teams, the vulnerability was fixed for Chrome with the update to version 63, which came out in late 2017, and with Firefox 60 which was updated two weeks ago. The vulnerability no longer affects the browsers but Dario Weißer, one of the researchers, warned that similar hacks are possible in the future with the rise of graphic-intensive content and standards like HTML5 which support it.
Meanwhile, Internet Explorer and Microsoft Edge were spared from the attack because the company did not implement mix-blend-mode. At the same time, Safari was also protected against such attacks but the researchers were unaware of the exact reason.
Weißer also argues that while the teams have disclosed flaws in Facebook, there could be many more rogue websites using the technology fool users and “tons of other sensitive resources which could be affected” by similar attacks.