Lax CSS Parsing Leading to Cross-Origin Data Theft Vulnerability Analysis

Key Information Summary Vulnerability Description Vulnerability Type: Lax CSS parsing leading to limited cross-domain information theft Affected Scope: Only poses a risk to a subset of websites Details: - Due to the lenient parsing behavior of the CSS parser, cross-origin CSS style sheets can be loaded. - Attackers can steal data across domains by injecting malicious CSS rules, such as Exploitation Method 1. Inject CSS Code - Example attack code: - Attackers can control CSS within cross-origin pages and steal data via forged functions. 2. Data Theft Scenarios - Using Yahoo! Mail as an example, attackers can steal email content through CSS injection. - In test scenarios, stolen data can be exfiltrated via cross-origin CSS requests to servers controlled by the attacker. Solution Discussion Newline Injection Prevention: Not considered an effective defense, as newlines do not prevent exploitation. Strict MIME Type Checking: Enable “strict MIME type required” to control loading of external CSS resources. Code Modifications - Introduce MIME type checking in the CSS parser. - Enforce strict MIME type checking and parsing string methods. Timeline Report Date: 2009-09-28 Resolution Status: RESOLVED FIXED Technical Details Attack Vector: Potential data exposure due to failed cross-origin URL parsing Fix Commit: Code submission including MIME type detection and strict mode settings in the CSS parser to prevent data theft.

Goal Reached Thanks to every supporter — we hit 100%!

Lax CSS Parsing Leading to Cross-Origin Data Theft Vulnerability Analysis