Security researcher Lyra Rebane has uncovered a powerful new clickjacking technique using SVG filters.
This method, dubbed “SVG clickjacking,” overlays interactive fake interfaces on cross-origin iframes to trick users into performing complex actions, such as filling out forms or entering data.
Traditional clickjacking hides buttons beneath transparent layers to make simple clicks appear more complex.
SVG clickjacking goes further by letting attackers read pixels from the target iframe and run logic to create responsive overlays.
Rebane discovered this while recreating Apple’s Liquid Glass effect with SVG filters like feDisplacementMap and feColorMatrix, which surprisingly worked over iframes.
Technical Breakdown
SVG filters process images pixel-by-pixel using primitives such as feTile for cropping/tiling, feComposite for arithmetic operations, feBlend for modes like difference, and feColorMatrix for channel manipulation.
Attackers crop specific pixels (e.g., button colors or text presence), tile them across the canvas, and convert colors to binary masks via thresholding: result = k1i1i2 + k2i1 + k3i2 + k4.
These build logic gates: NOT (feBlend difference with white), AND (feComposite k1=1), OR (k2=1 k3=1), enabling Turing-complete computation within filters.
For example, in a “Securify” demo, inputs detect dialog visibility (D), load state (L), a checkbox (C), and red text (R) via pixel sampling and gates: (¬D ∧ ¬R) shows button1, and (D ∧ L ∧ ¬C) shows checkbox.
| Primitive | Function | Attack Use |
|---|---|---|
| feTile | Crop/tile pixels | Sample button color paste.txt |
| feComposite | Arithmetic blend | Threshold to binary (k2=100) paste.txt |
| feBlend | Difference/multiply | Logic gates (XOR, NOT) paste.txt |
| feColorMatrix | Channel matrix | Luma-to-alpha matte paste.txt |
Rebane demonstrated against Google Docs: detect “Generate Document” popup, fake CAPTCHA textbox (hide placeholders with grey-text filter), add suggestion, then loading screen earning a $3,133.70 Google VRP bounty.
Real-World Risks and Defenses
Attackers exfiltrate data by encoding pixels into QR codes using precomputed Reed-Solomon tables in filters, prompting scans for “anti-bot” checks. It bypasses CSP (no JS needed) and works where iframes load.
Mitigations include X-Frame-Options/Deny, frame-ancestors CSP, and Intersection Observer v2 to detect SVG overlays.
Browsers fixed timing-based pixel leaks, but constant-time filters remain exploitable; developers should audit filter usage on frames.
This elevates clickjacking from static tricks to dynamic attacks, urging web teams to rethink visual rendering security.
