cafeinuxDec 5
mcc

lolsob. Developer attempts to replicate liquid glass in CSS and in the process accidentally discovers a novel and rather serious browser vulnerability

https://lyra.horse/blog/2025/12/svg-clickjacking/

"CSS hack accidentally becomes regular hack"

( via @citrusui )

SVG Filters - Clickjacking 2.0

A novel and powerful twist on an old classic.

lyra's epic blog
Dec 5 at 1:57amWeb
Show threadDaniel CarosoneDec 5

@mcc @citrusui the qr thing is just the most incredibly sickly-sweet icing on the cake..

filters can't create links or exfiltrate data? but we can manipulate pixels?

Show threadaburka 🫣Dec 5
@mcc @citrusui I feel like SVG filters being turing complete is kind of a buried lede here
Show threadmccDec 5
@aburka @citrusui wasn't clear to me if you could make a flip-flop with it tho
Show threadCassandrichDec 5
@aburka @mcc @citrusui I mean... it's kinda not the issue. The issue is what data browsers are wrongly giving them access to (the rendered view underneath them), not the computational power. It's a simple failure to enforce privilege domains correctly.
Show threadd@nny disc@ mc²Dec 5
@dalias @aburka @mcc @citrusui also worth noting that turing completeness is a property not just of an intentionally-designed language, but the entire system the language is embedded within. if you can create a file at a specific path and then read whatever is stored at that path you often have enough to achieve turing completeness, and if users don't have well-documented affordances that satisfy their needs, they will find a workaround. and now you have both turing-completeness and a dependency on spooky action at a distance i.e. external state not tracked by the desired model
Show threadd@nny disc@ mc²Dec 5
@dalias @aburka @mcc @citrusui which is why (to my understanding) cryptographic proofs of security and security audits both look to identify information leakage across system boundaries
Show threadCassandrichDec 5
@hipsterelectron @aburka @mcc @citrusui Yes, well obviously SVG files should not be allowed to create or access external files at any path.
Show threadaburka 🫣Dec 6
@hipsterelectron @dalias @mcc @citrusui yes I used this fact in my turing completeness proof for my company's yaml metalanguage, which is lazily evaluated hence not recursive *except* you have to eagerly evaluate a filename in order to include it, which was the key
Show threadOblomovDec 5
@mcc @citrusui are the browser implementors going to “fix” this by removing filters from SVG or SVG support entirely? 8-(
Show threadmccDec 5
@oblomov @citrusui it seems like blocking SVG filters from obscuring iframes would be a kinda reasonable response?
Show threadOblomovDec 5
@mcc @citrusui I can't say I have much trust in current browser developers to choose the reasonable response.
Show threadFionaDec 5
@mcc in case of interest: she's on fedi, too :)
https://infosec.exchange/@rebane2001/115661669658436967
Rebane (@[email protected])

my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3 https://lyra.horse/blog/2025/12/svg-clickjacking/

Infosec Exchange
Show threadTed LemonDec 5

@mcc @citrusui

So did I read it right that this class of exploits doesn't work in Safari?

Show threadRebaneDec 5

@abhayakara @mcc @citrusui it does work in safari, just the demos do not

the demos could be adjusted to work in safari, i just didn't want to bother because it would've made the examples a lot harder to follow along with

Show threadTed LemonDec 5

@rebane2001 @mcc @citrusui

Good to know. Thanks!

Show threadTed LemonDec 5

@rebane2001 @mcc @citrusui

BTW, really. Thanks! This was obviously a lot of work, and it's a really cool find.

Show threadAdam DavisDec 5
@mcc @citrusui
Are there legitimate uses for iframes where the domain of the URL shown in the iframe is different than the site serving it? It seems like they're often used in questionable ways.
Show threadRebaneDec 5
@AdamDavis @mcc @citrusui yes, for example you might want to embed a youtube video or a map widget on a different site
Show threadvriska, thief of light Dec 5
@rebane2001 @AdamDavis @mcc @citrusui also payment forms, which are an example of a case where you both very much want them to be embedded and also very much don't want the parent site to be able to do anything
Show threadmccDec 5
@leo @rebane2001 @AdamDavis @citrusui There's this very interesting service called "Verified By Visa"
Show threadvriska, thief of light Dec 5
@mcc @rebane2001 @AdamDavis @citrusui this is visa's (discontinued?) brand for 3-d secure right? pretty sure that's near-universal in europe and barely exists elsewhere but could be wrong
Show threadAdam DavisDec 5
@mcc @leo @rebane2001 @citrusui
Thank you both for that information. I haven't worked on "storefront" code, so I wasn't aware of that. I should have remembered embedded YT videos, though.
Show threadSamantaz FoxDec 6
@leo @rebane2001 @AdamDavis @mcc @citrusui I don't get why people want so much to use iframes for payment. What's wrong with redirecting to the payment processor's page?
Show threadvriska, thief of light Dec 6
@SamantazFox @rebane2001 @AdamDavis @mcc @citrusui it's well established that literally any extra step in the payment process measurably decreases revenue
Show threadSamantaz FoxDec 6
@leo @rebane2001 @AdamDavis @mcc @citrusui Oh, really? Or is that some shitpost?
Show threadRebaneDec 6
@SamantazFox @leo @AdamDavis @mcc @citrusui yep, that's why one-click checkout is a thing
Show threadTayDec 5
@mcc @citrusui dang that website makes my phone chug :P
Show threadTak!Dec 5
@mcc I like that a repeated theme throughout the article is "yes, there are more efficient ways to build a general purpose computer with basic logic gates created using svg filters, this is just a demonstration"
Show threadCamarade SebDec 27
The bubble is close to popping!

RE: https://mastodon.social/@nixCraft/115792954318265170