- An innovative hack has exploited a graphic feature until it was fixed on some of the top browsers including Chrome and Firefox.
- Mix-blend-mode feature leaked the visual content to the hacker websites and made the browsers vulnerable.
- The fix is temporary. The issue might return due to the increasing graphics capabilities in HTML and other coding languages.
The last-gen encryption methods of Google Chrome and Mozilla Firefox disclosed a vulnerable security patch. It was revealed that the security parameters of these browsers were easily hackable. This could have been a gateway to capture the data from the most popular social networking websites, such as Facebook.
Another shocking revelation is that the ‘mix-blend-mode’, which is a relatively new feature found in today's Web browsers, leaked the visual content of websites that include iframe linking. This jeopardizes 1 billion users of Facebook and puts them under a privacy threat.
The research that discovered these crucial revelations also disclosed that the data was extracted from these browsers through a side-channel vulnerability. This could have been due to the implementation of the new standards for cascading style sheets. Browsers like Chrome and Firefox usually avoid this vulnerability through a security concept that is called as same-origin policy. It is designed to block the content hosted on one domain to be available on the other.
This discovery was revealed by two independent research teams and has been recently fixed by all the major internet browsers. The first versions that had fixed the security patches were Google Chrome V63 and Firefox 60. “For now, the security patches are fixed,” said one of the teams which made the discovery, “but the recent boost of graphics capabilities in HTML5 and CSS are likely to lead us to the same threat.”
To demonstrate, he used an iframe to link it with Facebook which subsequently reflected the ‘login’ and ‘like’ button on the hacker’s page. Dario Weißer further explained that the same technique that protects this mishappening makes it vulnerable. A clever hacker can exploit this technique with the mix-blend mode function and easily extract the information. “Of course, we cannot directly access the iframe’s content,” Weißer said, “but we can put overlays over iframe and extract the information from the graphical interaction between the underlying pixels. The browser doesn’t leak the HTML, but the content of the targetted iframe does.”
Habalov and Weißer informed this vulnerability to both Facebook and Google. They have also reported it to Skia which makes the graphics library that Chrome uses. Skia fixed this the same month they were informed, while Google fixed it in December. Facebook acknowledged the vulnerability but declared that it was unfeasible on their part.
Weißer and Habolv delayed to inform Firefox due to an error and waited until November 2017. This is the very reason why Firefox was late at fixing this issue. Firefox fixed it on the second of week of May 2018.
Do you feel safe with your browser? Let us know in the comments. Also, check our Top 6 alternatives for Mozilla Firefox.