Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cross-origin data leak. Show all posts
Web security
Browser Vulnerability cross-origin data leak CSS security flaw Lyra Rebane research SVG clickjacking Vulnerabilities and Exploits Web security

New SVG-Based Clickjacking Technique Exposes Cross-Origin Data Through CSS Filters

 

Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections.

Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy.

Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs.

Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique.

Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin.

She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have."

Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools.

According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources."

To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable.

Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints.

Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection.

She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there."

Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains.

Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well.

Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe.

Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.
Read more »
Subscribe to: Comments (Atom)