Generally, browsers try to make it very difficult for the contents of one website to read or interact with the contents of another website. There is a class of attacks called cross site request forgery (CSRF) where website A tries to trick the browser into sending a web request to website B and performing some action which requires authentication. In this case, the action would be to like a Facebook post.
Imagine something really basic like your bank has an endpoint GET shite-bank.com/account/transfer?funds=100&to=myEvilAccount. Website B could try and redirect you to that URL. If you’re logged in to shite-bank, then when that request completes you will transfer 100 funds to me. Generally, most websites use various techniques and tokens to prevent other websites from triggering requests like this.
I clicked through the source article, and it sounds like this is specifically a windows thing: original article says that when a windows machine loads the malicious SVG, the malicious JS is parsed in a Microsoft Edge browser process, regardless of the browser a user visited the porn site with (apparently all Windows SVGs load through Edge). I would guess that there is some aspect of this context switch which enables the CSRF attack to work, but it is not explained in the original article.
I clicked through the source article, and it sounds like this is specifically a windows thing: original article says that when a windows machine loads the malicious SVG, the malicious JS is parsed in a Microsoft Edge browser process, regardless of the browser a user visited the porn site with (apparently all Windows SVGs load through Edge).
what the actual fuck? does that mean that even if I only use firefox, edge is involved in loading SVGs? how??
Opening the SVG file opens an empty Edge tab titled Process Monitor. This happens because SVG files on Windows are opened by Edge, even if the user has another browser set as their default.
that does not explain how does it happen when the svg appears on a page in firefox. firefox won’t try to open all embedded assets with the default file handler in the OS, it will directly use its built in tools to handle it.
I think it’s saying that the default association for SVG is edge, as setting a default browser does not change that. If you use another image viewer for SVG it might behave differently.
but how does edge get opened? firefox, and pretty sure chrome too, aren’t searching the OS file associations for each asset they received from the site. they won’t decode the png images with Windows Photos or whatever, they will use their internal tools to process it.
file associations would only affect if you open an svg file in the filesystem with a file manager. but I don’t see how edge gets into the picture when the user is just using another browser, because it’s rare that a user saves an SVG
Generally, browsers try to make it very difficult for the contents of one website to read or interact with the contents of another website. There is a class of attacks called cross site request forgery (CSRF) where website A tries to trick the browser into sending a web request to website B and performing some action which requires authentication. In this case, the action would be to like a Facebook post.
Imagine something really basic like your bank has an endpoint
GET shite-bank.com/account/transfer?funds=100&to=myEvilAccount. Website B could try and redirect you to that URL. If you’re logged in to shite-bank, then when that request completes you will transfer 100 funds to me. Generally, most websites use various techniques and tokens to prevent other websites from triggering requests like this.I clicked through the source article, and it sounds like this is specifically a windows thing: original article says that when a windows machine loads the malicious SVG, the malicious JS is parsed in a Microsoft Edge browser process, regardless of the browser a user visited the porn site with (apparently all Windows SVGs load through Edge). I would guess that there is some aspect of this context switch which enables the CSRF attack to work, but it is not explained in the original article.
what the actual fuck? does that mean that even if I only use firefox, edge is involved in loading SVGs? how??
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
that does not explain how does it happen when the svg appears on a page in firefox. firefox won’t try to open all embedded assets with the default file handler in the OS, it will directly use its built in tools to handle it.
I think it’s saying that the default association for SVG is edge, as setting a default browser does not change that. If you use another image viewer for SVG it might behave differently.
but how does edge get opened? firefox, and pretty sure chrome too, aren’t searching the OS file associations for each asset they received from the site. they won’t decode the png images with Windows Photos or whatever, they will use their internal tools to process it.
file associations would only affect if you open an svg file in the filesystem with a file manager. but I don’t see how edge gets into the picture when the user is just using another browser, because it’s rare that a user saves an SVG
I found this technically surprising, but like the most microsoft thing ever.