
Cross-domain privacy vulnerability using CSS, in all browsers - mbrubeck
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
======
dpcan
I've been using Chrome to stay logged into important apps, then browsing
everything else in Firefox.

I also open a separate IE window to log in to my banks and then close out
completely when done.

Ever since I saw the hack that checks colors of visited URL's using CSS, I've
been a little more cautions of what I'm logged into across tabs.

The thing is, the rest of the world is just running a bunch of IE7 tabs or
even IE6 windows.

~~~
Dobbs
I use `firefox --no-remote -P` lets you have multiple firefox profiles running
at the same time.

------
jrockway
So browsers start interpreting properly-escaped markup-lookalike as though it
was actual markup? I don't think so. There is a web app bug here.

~~~
danielh
The exploit page (the one the victim is supposed to click on) loads the
injected page (in this case Yahoo Mail) as stylesheet. The CSS parser throws
away all the html and correctly parses the injected css.

I think the description is not very clear about this step, I had to look at
the source of the exploit page to understand what happens.

~~~
jrockway
Clever. But if the single quotes were &quot;, and so on, this would not work.
CSS does not have SGML entity support (or does it? please tell me it
doesn't...)

------
qeorge
That is truly amazing, scary, and brilliant. I'm not usually impressed by
these sorts of things, but this one seems like a _really big deal_.

