The idea of using just #CSS to fingerprint email clients and browsers is wild. The approach suggested in this repo
https://github.com/cispa/cascading-spy-sheets
and further #research paper
explain the technique that works even if #javascript is disabled.
They further explain that they reached out both to #Tor and #BraveBrowser where such exploits should be mitigated.
One example where such an exploit can cause even more precision is when it is incorporated into #phishing attacks. Since the exploit was also able to depict the operating system, meaning one could combine existing exploits for a more targeted attack.
@barefootstache
So, that's TL/DR for me. One question: Does this attack work for those of us who read email in plaintext?
@paraplegic_racehorse from my understanding it depends on the email provider or service. So if the provider/service does not permit CSS, then no attack via CSS is possible.
@barefootstache From what i can understand, Tor isn't really safe to use as those kind of attack vectors are either not patched or not even considered as a vulnerability in the first place...
Here's an old blogpost:
https://hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html
(and as far as i am aware, nothing much has changed since then.)