**barefootstache** @barefootstache@qoto.org · Jan 22, 2025, 09:40

**barefootstache** @barefootstache@qoto.org · Jan 22, 2025, 09:40

barefootstache @barefootstache@qoto.org

Jan 22, 2025, 09:40

barefootstache @barefootstache@qoto.org

The idea of using just #CSS to fingerprint email clients and browsers is wild. The approach suggested in this repo

https://github.com/cispa/cascading-spy-sheets

and further #research paper

https://publications.cispa.de/articles/conference_contribution/Cascading_Spy_Sheets_Exploiting_the_Complexity_of_Modern_CSS_for_Email_and_Browser_Fingerprinting/27194472

explain the technique that works even if #javascript is disabled.

They further explain that they reached out both to #Tor and #BraveBrowser where such exploits should be mitigated.

One example where such an exploit can cause even more precision is when it is incorporated into #phishing attacks. Since the exploit was also able to depict the operating system, meaning one could combine existing exploits for a more targeted attack.

#security #privacy #opsec #linux

**Paraplegic Racehorse** @paraplegic_racehorse@freeradical.zone · Jan 23, 2025, 17:15

**Paraplegic Racehorse** @paraplegic_racehorse@freeradical.zone · Jan 23, 2025, 17:15

Jan 23, 2025, 17:15

Paraplegic Racehorse @paraplegic_racehorse@freeradical.zone

@barefootstache
So, that's TL/DR for me. One question: Does this attack work for those of us who read email in plaintext?

**barefootstache** @barefootstache@qoto.org · 2025-01-23T17:39:21Z

barefootstache @barefootstache@qoto.org

@paraplegic_racehorse from my understanding it depends on the email provider or service. So if the provider/service does not permit CSS, then no attack via CSS is possible.

Jan 23, 2025, 17:39 · · · ·

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…