undefined | Better HN

0 pointstialaramex6y ago0 comments

Dubious. On a desktop device it's really common for there to be mechanisms that make it easy for software to steal the clipboard contents and intercept keypresses because these are things that some legitimate desktop software needs. There may often be a documented API that even a mediocre programmer can use to get this working in a few hours.

On the other hand, stealing session tokens is typically going to require reaching inside the browser process, which is perhaps the most sophisticated software on a machine, and then groping around to find these tokens. It definitely is possible in some cases but it's likely to be pretty hard.

I'd compare it to the difference between stealing a person's credit card from a bag they left under their seat versus reaching under somebody's shirt to take the money they've tucked into their bra. I don't doubt that somebody, somewhere, is good enough to get away with that second one unnoticed, but I know for sure the first one is easier.

0 comments

burner5894326y ago

Last I checked hooking key events in Windows requires SYSTEM access.

Stealing session tokens can be as easy as just pulling the entire browser profile, which I doubt requires elevated access.

I imagine black market postexploitation kits would have session data theft as a feature.

Again, if somebody has system access, you're probably completely fucked from a different angle irrespective of your preferred authentication method so now we're talking about semantics of how you're getting fucked because most 'apt's are going to be grepping your disk for words key phrases like 'financial data', not caring about your facebook account.

dfox6y ago

While it is true that hooking _all_ keyboard input requires SYSTEM access (because it involves either impersonating the session manager or injecting code into kernel), you don’t really need that to exfiltrate passwords for random websites that are entered into web browser. Owner of session can hook any event that is passed to the session, which obviously includes any keyboard event that the browser is going to see.

j / k navigate · click thread line to collapse