Chrome and Firefox Exploits using CSS and HTML5
Insider threats come in all different shapes and sizes, and many times it’s not malicious in any way even though they come directly from your own employees. A recent vulnerability found in Firefox and Chrome gave attackers access to images from the popular social media site Facebook. The vulnerability was mainly from the advanced HTML5 and CSS graphics capabilities, which make it easier for developers to display layers on a web page.
Traditionally, content within iframes could not access data from the outer page, but the capabilities of the latest versions of CSS and HTML5 have made security researchers aware of the possibility of future attacks. This current attack is considered a more advanced attack than other web-based browser attacks, but the data that can be extracted from social media is the major concern. The data that could be extracted includes Facebook usernames, user profile pictures, and any likes from the profile.
It’s widely know that an iframe from one domain could not extract information from another domain. The rule is called the same-origin policy, and it’s been a known security feature built into all browsers for years. Developers that built applications using iframes with other APIs such as Facebook felt secure that any application within the iframe was safe from other data throughout the site, but this new vulnerability has destroyed this traditional, long-time rule of thumb.
Security researchers are also concerned that more social media plugins will be affected, because many of the major ones use iframes to give site owners an easy way to work with plugins without knowing a lot of code.
The same-origin rule works effectively, but attackers were able to bypass the security policy by using overlays that covered the iframe content. With the overlays, an attacker could then manipulate pixels and make calls using CSS and HTML5 to extract data from the iframe. This allows an attacker to leak data from content as images. The HTML and code doesn’t extract from the iframe, but the visual contents can be extracted and sent to an attacker’s server. This seems tedious and unnecessary for an attacker, but the data that can be extracted can be sold on the black market or further used to target individuals for phishing or other attacks.
The amount of time needed to extract data using this method varies. An attacker needs one second to check the like status of a Facebook, about 20 seconds to get a username from the iframe and five minutes to get a crude quality extraction of an image. This means to gain access of all data for a Facebook profile, the user needs to leave their browser open to a page for at least five minutes. If you exclude the profile image from data extracted, then the user only needs to leave the page open for 20 seconds.
It should be noted that Internet Explorer and Safari are not affected by this security flaw mainly because IE does not use mix blend mode graphics packages. Researchers were unsure why Safari wasn’t affected, however. Currently, the only known issue is with the Facebook plugin mainly due to no security features built into the basic social plugins. Other social platforms use site-wide security to avoid these types of vulnerabilities.
You might wonder how this could be an insider threat, but many employees browse social networks on their work desktop. Some industries have social media employees that work with business accounts. This leaves your business social media accounts open to attack including your employees and their personal accounts. Chrome and Firefox have released patches to fix this vulnerability, so make sure your users have patched browser software.
See GateKeeper Enterprise in action
Take a self-guided tour of GateKeeper Enterprise, the proximity-based centralized access management platform.