K but why is this even possible through CSS...

Linked below is a pure CSS keylogger, i.e., now you can get your passwords stolen through a stylesheet. Keep your head on a swivel kids.

https://github.com/maxchehab/...

It's possible because it makes a request through the background-image. If the property changes (like when the selector which didn't match an element suddenly does by wildcards), a new request could be made. So you can make a different selector for each letter, and monitor the sequence of calls to your server. Voila, keylogger.

Man, and here I thought CSS was one of the good guys...

Pretty obvious if you note the traffic tho :p

But technically interesting, i suppose.

@lotd As in, not an issue if your monitoring your server traffic?

@Vip3rDev for each character input into a type=password,
it requests a background image thats probably blank..

Im almost always curiously peeking the network tab, so i would probably see it..

Guess i could use it against, by visiting from a bunch of machines, crunching through a wordlist :p

@peiche – I understand _how_ it works. I meant "from a security standpoint, how could the potential of this breach not have raised flags earlier."

Oh, I get what you mean @lotd, I typically have dev tools open when browsing too just from habit. But now I have even more reason to pay attention to the network tab!

@webnoob I gotcha. ¯\_(ツ)_/¯

Shit those motherfuckers were right who were saying CSS is a programming language. 😅😕🤔🤐

Just before people start worrying about this, just know that for this to actually be exploited the malicious user would have to have access to the javascript/css being served from the contaminated page. If they do have this access, then there are much bigger issues to worry about.

The most "straight forward" and realistic scenario I could ever think of this being used is if Bob uses a CSS library that contains the contaminated code that makes the key logging requests to the malicious server? I'm not sure it's something to be worried about, just cautious of!

Well everyone has a good side as well as a bad side. @Vip3rDev

@gitgood
> access to the javascript/css being served from the contaminated page

You mean like all advertisements on the web?

@lotd Many websites continuously fire off ajax requests, and it could look a lot more obfuscated.

@CapnHammered Most users don't have totally random passwords. If it logs "ChdrlCharlie123" I could guess the pet name, and where the backspacing happened...

https://instagram.com.”s to affect controlled components like React. It also states it in the repo “Open a website that uses a controlled component framework such as React. https://instagram.com.”