Chrome and Firefox Exploits using CSS and HTML5
Insider threats come in all different shapes and sizes. Many times it’s not malicious in any way even though they come directly from your own employees. A recent vulnerability found in Firefox and Chrome gave attackers access to images from the popular social media site Facebook. The vulnerability was mainly from the advanced HTML5 and CSS graphics capabilities. This makes it easier for developers to display layers on a web page.
CSS and HTML5 Risks
Traditionally, content within iframes could not access data from the outer page, but the capabilities of the latest versions of CSS and HTML5 have made security researchers aware of the possibility of future attacks. This current attack is considered a more advanced attack than other web-based browser attacks. But the data that can be extracted from social media is the major concern. Hackers can extract data including Facebook usernames, user profile pictures, and any likes from the profile.
It’s widely know that an iframe from one domain could not extract information from another domain. This is known as same-origin policy. This is a known security feature built into all browsers for years. Developers that built applications using iframes with other APIs such as Facebook felt secure that any application within the iframe was safe from other data throughout the site. But this new vulnerability has destroyed this traditional, long-time rule of thumb.
Security researchers are also concerned that more social media plugins will be affected. This is because many of the major ones use iframes to give site owners an easy way to work with plugins without knowing a lot of code.
The same-origin rule works effectively, but attackers were able to bypass the security policy by using overlays that covered the iframe content. With the overlays, an attacker could then manipulate pixels and make calls using CSS and HTML5 to extract data from the iframe. This allows an attacker to leak data from content as images. The HTML and code doesn’t extract from the iframe. But, the visual contents can be extracted. Then sent to an attacker’s server. This seems tedious and unnecessary for an attacker. But they can extract the data. Then they can sell it on the black market. The data can also exploited for phishing attacks.
The amount of time needed to extract data using this method varies. An attacker needs one second to check the like status of a Facebook, about 20 seconds to get a username from the iframe and five minutes to get a crude quality extraction of an image. This means to gain access of all data for a Facebook profile, the user needs to leave their browser open to a page for at least five minutes. If you exclude the profile image from data extracted, then the page only needs to be open for 20 seconds.
Explorer and Safari Browsers
This security flaw did not affect Internet Explorer and Safari. This is mainly because IE does not use mix blend mode graphics packages. However, researchers are unsure why Safari wasn’t. Currently, the only known issue is with the Facebook plugin. This is mainly due to no security features built into the basic social plugins. Other social platforms use site-wide security to avoid these types of vulnerabilities.
You might wonder how this could be an insider threat, but many employees browse social networks on their work desktop. Some industries have social media employees that work with business accounts. This leaves your business social media accounts open to attack including your employees and their personal accounts. Chrome and Firefox have released patches to fix this vulnerability, so make sure your users have patched browser software.
See GateKeeper proximity access control in action.
Take a self-guided tour of how you can evolve from passwords. Then you're really saving time with automation.