By testing various CSS features like “transparency”, “rotation” and “mix-blend-mode” on top of the cross-origin iframe, the security researcher discovered a bug that allowed side-channel attacking the CSS feature mix-blend-mode. This feature with CSS3 was introduced in 2016 by Web Standard that allows Web developers to overlay Web components and add effects that control how they interact. To demonstrate this vulnerability, the researchers visited a malicious website and found that they could use cross-domain iframes to obtain users’ Facebook profiles, including photos and usernames, without requiring additional interaction with the users.
Habalov explained in the article that when “mix-blend-mode” is enabled, an attacker can use a cascade of DIV elements to overlay the floating frame (iframe) of the target object. The browser renders the stack time according to the floating frame. The color of the pixels varies, and finally, the DIV stack is moved in a floating frame, forcing rerendering and measuring the individual rendering times, ie it is possible to figure out the contents of the floating frame. After testing, the user’s ID can be obtained in about 20 seconds, and fuzzy personal data and pictures can be obtained in about 5 minutes.