Full Report
Who needs JavaScript? Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS).…
Analysis Summary
# Vulnerability: Novel SVG/CSS Based Clickjacking Attack
## CVE Details
- CVE ID: Not specified in the source material.
- CVSS Score: Not specified in the source material.
- CWE: CWE-208 (Improperly Implemented Protection Mechanism) or related to UI Redress/Clickjacking.
## Affected Systems
- Products: Web browsers utilizing SVG rendering engines capable of cross-origin filter leakage (Reported to affect multiple browsers, including Chrome and Firefox).
- Versions: Specific vulnerable versions are not detailed, but the issue is related to core browser rendering capabilities.
- Configurations: Affects web pages that allow themselves or other origins to be framed (e.g., via iframes) and utilize SVG filters. Also impacts sites vulnerable to HTML injection where CSS/SVG can be injected without JavaScript execution (bypassing CSP).
## Vulnerability Description
Security researcher Lyra Rebane discovered a novel clickjacking technique that circumvents standard same-origin policy (SOP) protections by leveraging SVG filters, combined with CSS. The attack exploits the behavior of SVG filters (specifically using `feBlend` and `feComposite`) which can leak pixel information across origins when rendered inside an iframe overlaying a main page. By using these filters, the attacker can implement logic gates, making the SVG "functionally complete" for calculating visual information about the underlying page content. This allows for automated, complex clickjacking interactions, such as the demonstrated Proof-of-Concept (PoC) for exfiltrating text from a Google Docs interface.
## Exploitation
- Status: PoC available (Demonstrated for Google Docs text exfiltration).
- Complexity: Medium (Requires crafting complex, functionally complete SVG filters; simpler than some previous timing attacks but more complex than traditional clickjacking).
- Attack Vector: Network (Requires convincing a victim to visit a malicious page hosting the malicious iframe).
## Impact
- Confidentiality: High (Ability to read sensitive data visible on underlying pages, as demonstrated with Google Docs text).
- Integrity: High (Ability to trick users into unintended actions, core to clickjacking).
- Availability: Low (No indication of direct denial of service).
## Remediation
### Patches
- No specific browser patches are explicitly listed as deployed fixes. The researcher noted a related Chromium bug was marked "won't fix," suggesting the issue might not be considered strictly a browser bug by the vendor, or that standard fixes have not been widely adopted for this vector yet.
### Workarounds
- Developers can defend against this by utilizing the **Intersection Observer v2 API** to detect when an SVG filter is actively covering an iframe.
- For traditional clickjacking vectors impacting user interaction: Ensure **`X-Frame-Options`** or **`Content-Security-Policy: frame-ancestors`** headers are correctly set to prevent framing on pages where it’s not intended.
- For sites vulnerable to HTML Injection: Strictly enforce Content Security Policies to restrict untrusted content origins, though this attack bypasses JavaScript restrictions using CSS/SVG logic.
## Detection
- **Indicators of Compromise (IoC):** Unusual network activity related to data being systematically read from framed content. Look for rendering paths that involve complex, possibly obfuscated SVG filters applied to iframes loaded from different origins.
- **Detection Methods and Tools:** Monitoring or auditing iframe content for excessive or unusual SVG filter usage, particularly those leveraging `feBlend` or `feComposite` in ways that suggest data manipulation rather than simple styling effects. Utilizing tools that can inspect rendering context boundaries.
## References
- Vendor advisories: Google awarded a bug bounty ($3133.70) for reporting the vulnerability. A related Chromium bug ID is 401081629.
- Relevant links:
- Researcher summary: hxxps://lyra.horse/blog/2025/12/svg-clickjacking/
- PoC demonstration (YouTube): hxxps://www.youtube.com/watch?v=INgS4IipEhU&t=1516s
- Related work (Perfect Pixel Timing Attacks): hxxps://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf