Chrome and Firefox leaks let sites steal visitors’ Facebook names, profile pics

Enlarge (credit: Ruslan Habalov)

For more than a year, Mozilla Firefox and Google Chrome may have leaked users’ Facebook usernames, profile pictures, and likes if the users’ browsers visited malicious websites that employed a cutting-edge hack, researchers said Thursday.

The data could be extracted through what’s known as a side-channel vulnerability in the browsers’ implementation of new standards for cascading style sheets introduced in 2016. One of the new features known as the “mix-blend-mode” leaked visual content hosted on Facebook to websites that included an iframe linking to it and some clever code to capture the data. Normally, a security concept known as the same-origin policy forbids content hosted on one domain to be available to a different domain. The vulnerability was significant because it allowed hackers to bypass this bedrock principle for two of the Internet’s most widely used browsers.

The leak was independently discovered by two different research teams, and it was fixed late last year in version 63 of Chrome and two weeks ago in Firefox 60. While the updated browsers no longer pose a threat to user privacy, one of the researchers who discovered the vulnerability said the increasingly powerful graphics capabilities being added in the HTML5 and CSS standards are likely to make similar hacks possible in the future.