An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user’s online privacy. The leak isn’t specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes. The actual vulnerability resides in the browser implementation of a CSS feature named “mix-blend-mode,” added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what’s displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.
of this story at Slashdot.
Source:: Slashdot