lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Jun  7 17:17:51 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: file upload widgets in IE and Firefox have
	issues

On 6/7/06, Michel Lemay <mlemay@...eo.com> wrote:
> Would it be possible to use a similar technique to generate an URL with
> query parameters containing user keystrokes?  This URL could then be
> submitted to any compromised website.  The attacker could then look into
> logs and have a peek at theses submitted requests.

Yes, people have prototyped javascript key loggers.

http://www.whitehatsec.com/presentations/phishing_superbait.pdf

The whole presentation is pretty good, but the specific example
relevant to your question starts around page 28.  I don't know of any
attacks like this seen in the wild so far.  The presentation suggests
that once two-factor auth becomes common this is where attackers will
go next.  That makes sense to me.

- Brian

Powered by blists - more mailing lists