Pete FreitagCross Domain Data Theft using CSS
By Pete Freitag
FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.
It works kind of like JSON Hijacking, but uses a cross domain <link /> tag instead of a cross domain <script /> call to the attacker site.
Here's how it works:
- Post a comment on the victim site that looks like this:
{}body{background-image:url('http://google.com/- it can be anywhere on the page, doesn't need to be in astyletag or attribute. - Get the attacker to visit your site which contains a
linktag like this:<link rel="stylesheet" href="http://victimsite.example.com/page/with/above/css"> - The attacker site also includes some javascript calling
window.getComputedStyle(...)this can be used to steal the content of the page atvictimsite.example.com
The {} in the CSS resets the CSS parser because up to that point it is very confused (since it's trying to parse the HTML of the page as CSS).
To fix this issue Firefox (and WebKit) now reject loading CSS files that meet these conditions:
- CSS File is from another domain
- Content type is not text/css
- Page does not start with valid CSS syntax
You can find a lot of the interesting details here in this Firefox Bug Report.
Cross Domain Data Theft using CSS was first published on July 21, 2010.
If you like reading about security, firefox, css, or javascript then you might also like:
- Firefox Aurora now Supports Content Security Policy 1.0
- Getting Started with jQuery Mobile
- Ajax Same Origin Policy No More with Firefox 3.5
- Firefox 3.5 Introduces Origin Header, Security Features
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).