This page tests to see if your browser is vulnerable to Cascading Style Sheets (CSS) data leakage. If you are vulnerable, one way to protect yourself is to install the CSS Exfil Protection plugin for your browser.
The CSS Exfil vulnerability detailed in this lengthy post is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS). CSS - one of the building blocks of the modern web - is used by developers to control the look-and-feel of a website and is present on nearly every modern page on the internet. By crafting targeted CSS selectors and injecting them into a web page, an attacker can trick the page into sending pieces of data to a remote server (e.g. usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers).
This page attempts to load four remote images using CSS selectors which parse a hidden text field. If it is able to load any of those four images your browser is vulnerable to the CSS Exfil attack.
There is no malicious code on this page. This page simply attempts to use CSS to load four images by checking if a hidden field contains the text 'abc'.
Maybe. The Chrome and Firefox plugins presented above appear to guard against the type of CSS Exfil attacks presented in the technical write up. Although I am not aware of other methods of exploitation at this time, it doesn't mean that such an attack doesn't exist. As such: the plugins are provided as-is without any warranty or guarantee, under the MIT License. If you discover an attack method which bypasses the plugin I would certainly like to hear from you!
There may be another plugin that is causing this plugin from working properly. Try disabling all plugins and re-enabling each one at a time. When you find the plugin that's causing the problem let me know and I'll try to diagnose and push out an update.
Read the technical write up to understand the anatomy of the vulnerability. At the bottom there is a section: Defense for Website Operators.
I certainly hope not! I'm as much at risk as you. I discovered the attack method described in my technical write up Fall 2017. It took a while to disclose the vulnerability as I wanted to not only understand the full scope, but provide a solution. The methods detailed are not necessarily new, so there is the possibility that such a technique has been used to harvest user data in the past, so public disclosure is the best path to a more secure web.
Beyond keeping your browser up-to-date and being careful to not click on websites which may be risky or malicious, installing a privacy extension such as Privacy Badger (or alternative) and HTTPS Everywhere can go along way to protect your safety and privacy online.
The image is a screenshot of an Apple II graphical shareware demo called "DA BIN ICH ...". The demo consists of a Hi-Res portrait of a man who occasionally will wink and stick out his tongue. I wanted to use a quirky image as part of the vulnerability tester, and it's about as quirky as you can get.