Committing CSS Crimes for fun and profit - Lyra Rebane
Disobey 2026 · Main Stage
In her engaging Disobey talk, "Committing CSS Crimes for fun and profit," Lyra Rebane, also known as Ray Bane, takes the audience on a journey from playful web styling exploits to discovering high-impact security vulnerabilities. The presentation explores the often-underestimated power of CSS, demonstrating how seemingly innocuous styling capabilities can be weaponized for UI spoofing, data exfiltration, and complex clickjacking attacks. Rebane challenges the conventional view of CSS, asserting its potential as a "programming language" when wielded creatively by attackers.
AI review
Rebane takes a genuinely novel attack surface — CSS and SVG filters — and walks it all the way from playful Cohost art projects to QR code data exfiltration out of cross-origin iframes with zero JavaScript. The research is original, the CVEs are real, and the SVG filter logic-gate work is the kind of thing that makes you stop and re-read a slide twice.