Invisible Ink: Privacy Risks of CSS in Browsers and Emails

Invisible Ink: Privacy Risks of CSS in Browsers and Emails

MediaVideo
Yanac

Recently, Google Chrome and other browsers have started restricting traditional tracking methods, such as third-party cookies, to improve user privacy. Still, websites can leverage browser fingerprinting to track users across websites, even when they try to protect their privacy. Interestingly, the same principles can be leveraged to enhance the security of web applications, such as in risk-based authentication, where users are identified based on their browser fingerprint.

Traditionally, the tracking industry and privacy community have concentrated on JavaScript-based fingerprinting, which is widely used by websites for tracking and security purposes. This focus has led to the development of spot mitigations that limit the execution of JavaScript.

In this talk, we showcase that these mitigations can lead to a false sense of security. We explore the novel privacy implications of recent additions to Cascading Style Sheets (CSS), a style-sheet language for the web that defines the look and feel of HTML content. Unlike JavaScript, CSS is often considered harmless and, thus, for example, enabled by default in most email clients when rendering HTML emails.

We show how CSS can be used to track users across websites, enabling third-party tracking and user profiling without the need for cookies or JavaScript, thereby bypassing state-of-the-art mitigations. Even more concerning, modern browser engines, which form the backbone of most email clients, allow these tracking techniques to be used in HTML emails due to their low requirements.

Email fingerprinting opens up an arsenal of opportunities for tracking parties and malicious actors alike, including user profiling, targeted phishing, and spam campaigns.

By:
Leon Trampert | PhD Student, CISPA Helmholtz Center for Information Security
Daniel Weber | PhD Student, CISPA Helmholtz Center for Information Security

Full Abstract and Presentation Materials:
https://www.blackhat.com/asia-25/briefings/schedule/#invisible-ink-privacy-risks-of-css-in-browsers-and-emails-43871Black HatRead More