Lyra Rebane uncovered a novel SVG and CSS-based clickjacking attack that can bypass traditional web security measures. This technique manipulates cross-origin data leakage and has been demonstrated to exfiltrate sensitive information, highlighting ongoing vulnerabilities in web application security. #SVGClickjacking #CrossOriginLeaks
Keypoints
- Lyra Rebane developed a new attack method using SVG filters and CSS for clickjacking.
- The attack exploits SVG filters to leak information across web origins, violating same-origin policy.
- It can be used to exfiltrate data from platforms like Google Docs even when framing is allowed.
- Traditional defenses like X-Frame-Options and Content Security Policy may not prevent this attack.
- Developers can use the Intersection Observer API to detect when SVG filters are covering iframes as a mitigation.
Read More: https://www.theregister.com/2025/12/05/css_svg_clickjacking/