Firefox And Chrome Leaks And Risks: Nobody Is Safe
Posted By Ankit Kadam Posted On

Firefox And Chrome Leaks And Risks: Nobody Is Safe

Researchers have found that it has been more than a year that Google Chrome and Mozilla Firefox keep on leaking the user’s Facebook name and profile picture. This happens when a user visits a malicious website that hacks your account on FB.

Firefox And Chrome Leaks And Risks: Nobody Is Safe

A new presentation of the document named cascading style sheets was introduced in 2016. This implementation led to a side channel vulnerability which helped in the extraction of all the data.

The Problem Of Identity Stealing

The visual content which the user hosts on Facebook was leaked by a new content named “mix blende mode” to other websites that has iframe linked to it and using some clever data to capture the leaked data. The security concept known as the same-origin policy does not allow the content that has been hosted on one domain to be available in any other domain. The vulnerability was important as it allowed the hackers to pass through the two most widely used browsers of the Internet.

This problem was later discovered independently by two different research teams. They fixed the problem last year in the version 63 of Google Chrome and a few weeks ago in the version 60 of the Mozilla Firefox.

The graphical stuff is carried out in CSS, HTML and JavaScript are very different. Ruslan Habalov and Weiber together found out the proof that browsers like Chrome and Firefox have been leaking the usernames, profile pictures of the users who logged into Facebook using these browsers. An iframe was used by PoC that allows the social plugin Facebook making the login button and the like button available on the page.

The PoC requires less than a second to check the like status of the known website, less than 20 seconds to extract the username of the visitor, and around 5 minutes to get the profile picture of the visitor.

Several predictions have been made that there might be many more cases like that in the near future.