Invisible Ink: Privacy Risks of CSS in Browsers and Emails
Black Hat Asia 2025 · Day 2 · Briefings
In "Invisible Ink: Privacy Risks of CSS in Browsers and Emails," Leon and Daniel from the TISPA Handhold Center for Information Security unveil a sophisticated and often overlooked vector for user tracking and targeted attacks: **CSS-based browser and email client fingerprinting**. The talk meticulously demonstrates how modern Cascading Style Sheets (CSS), traditionally used for website styling, can be weaponized to uniquely identify users, gather sensitive system information, and even facilitate highly evasive phishing campaigns, all without relying on JavaScript. This research is particularly significant because it bypasses common privacy defenses like ad blockers and NoScript, which primarily target JavaScript-based tracking.
AI review
Leon and Daniel's "Invisible Ink" is a critical piece of technical research that meticulously exposes how modern CSS, often overlooked by traditional security tools, can be weaponized for advanced user fingerprinting and targeted attacks, especially within email clients. Their work not only details novel attack vectors like cloaked phishing and leak detection without JavaScript but also uncovers critical vulnerabilities in popular email clients. This talk is a wake-up call for both users and security professionals, demanding a fundamental re-evaluation of client-side security and email…