K but why is this even possible through CSS...

Linked below is a pure CSS keylogger, i.e., now you can get your passwords stolen through a stylesheet. Keep your head on a swivel kids.


  • 9
    It's possible because it makes a request through the background-image. If the property changes (like when the selector which didn't match an element suddenly does by wildcards), a new request could be made. So you can make a different selector for each letter, and monitor the sequence of calls to your server. Voila, keylogger.
  • 12
    Man, and here I thought CSS was one of the good guys...
  • 4
    This is just terrifying... :/
  • 4
    Pretty obvious if you note the traffic tho :p

    But technically interesting, i suppose.
  • 3
    @lotd As in, not an issue if your monitoring your server traffic?
  • 4
    @Vip3rDev for each character input into a type=password,
    it requests a background image thats probably blank..

    Im almost always curiously peeking the network tab, so i would probably see it..

    Guess i could use it against, by visiting from a bunch of machines, crunching through a wordlist :p
  • 2
    @peiche – I understand _how_ it works. I meant "from a security standpoint, how could the potential of this breach not have raised flags earlier."
  • 2
    Oh, I get what you mean @lotd, I typically have dev tools open when browsing too just from habit. But now I have even more reason to pay attention to the network tab!
  • 1
    @webnoob I gotcha. ¯\_(ツ)_/¯
  • 7
    Shit those motherfuckers were right who were saying CSS is a programming language. 😅😕🤔🤐
  • 0
    Just before people start worrying about this, just know that for this to actually be exploited the malicious user would have to have access to the javascript/css being served from the contaminated page. If they do have this access, then there are much bigger issues to worry about.

    The most "straight forward" and realistic scenario I could ever think of this being used is if Bob uses a CSS library that contains the contaminated code that makes the key logging requests to the malicious server? I'm not sure it's something to be worried about, just cautious of!
  • 1
    Well everyone has a good side as well as a bad side. @Vip3rDev
  • 1
    > access to the javascript/css being served from the contaminated page

    You mean like all advertisements on the web?

    @lotd Many websites continuously fire off ajax requests, and it could look a lot more obfuscated.

    @CapnHammered Most users don't have totally random passwords. If it logs "ChdrlCharlie123" I could guess the pet name, and where the backspacing happened...
  • 0
    https://instagram.com.”s to affect controlled components like React. It also states it in the repo “Open a website that uses a controlled component framework such as React. https://instagram.com.”
Add Comment