A pair of independent security researchers has revealed a serious flaw in cascading style sheets (CSSes) that could leave private user data exposed to malicious websites.
The exploit allows a malicious website to steal Facebook profile pictures, the name associated with a profile, and a full list of pages the user has liked, all without requiring any interaction from the victim.
A malicious site would only need to have a cross-site login iframe that pulls data from Facebook and uses mix-blend-mode, a graphical option added to CSS3 in 2016. From there it takes mere seconds to to steal user likes and a profile name. It only takes a few additional minutes for the malicious site to reconstruct the profile picture using layers of one-pixel DIV layers.