Cross-domain privacy vulnerability using CSS, in all browsers

[dpcan]

I've been using Chrome to stay logged into important apps, then browsing everything else in Firefox.

I also open a separate IE window to log in to my banks and then close out completely when done.

Ever since I saw the hack that checks colors of visited URL's using CSS, I've been a little more cautions of what I'm logged into across tabs.

The thing is, the rest of the world is just running a bunch of IE7 tabs or even IE6 windows.

[Dobbs]

I use `firefox --no-remote -P` lets you have multiple firefox profiles running at the same time.

[jrockway]

So browsers start interpreting properly-escaped markup-lookalike as though it was actual markup? I don't think so. There is a web app bug here.

[danielh]

The exploit page (the one the victim is supposed to click on) loads the injected page (in this case Yahoo Mail) as stylesheet. The CSS parser throws away all the html and correctly parses the injected css.

I think the description is not very clear about this step, I had to look at the source of the exploit page to understand what happens.

[jrockway]

Clever. But if the single quotes were ", and so on, this would not work. CSS does not have SGML entity support (or does it? please tell me it doesn't...)

[qeorge]

That is truly amazing, scary, and brilliant. I'm not usually impressed by these sorts of things, but this one seems like a really big deal.