Jump to content

New Keylogging Threats A Possibilty!


Recommended Posts

A new threat is looming for browsers and it's not related to JavaScript.


Security researcher Mario Heiderich reported to the maker of Firefox last year that he had found an unusual vulnerability in the browser and two other Mozilla products that run on the Gecko engine, Thunderbird, and SeaMonkey. Based in the relatively new technology that allows for animated complex vector graphics in the browser, called SVG animation, the vulnerability allowed for a malware writer to detect key strokes even when JavaScript was disabled.


Basically, he found a way to turn innocuous Web pages into keyloggers. Mozilla patched the vulnerability in Firefox 9, Thunderbird 9, and SeaMonkey 2.6. Then, as is standard operating procedure, they announced to the public what the threat was and that it had been fixed. But the real threat may lie in what the threat wasn't: it wasn't based in JavaScript.


"The basic premise of my research currently is scriptless attacks, meaning attack vectors working in a post-XSS world," Heiderich said in an e-mail. He defined a "post-XSS" world as one where the cross-site scripting attack had been more or less minimized by technologies like sandboxed iFrames, Mozilla's e-mail client Thunderbird and Firefox's Content Security Policy, the JavaScript blocking browser add-on NoScript, and Windows 8.


"The desired goal was to do keystroke logging in the browser, doing so without necessitating JavaScript, so even if you turned off JavaScript it would work," said Jeremiah Grossman, Chief Technical Officer at computer security research firm White Hat Security. "All the browser developers are fixing cross-site scripting. What half a dozen researchers are exploring is what you can do attack-wise in a browser without JavaScript. They're discovering that there's still quite a lot you can do in the browser."


This particular SVG keylogging attack was quite nasty, said Chris Eng, vice president of research at Veracode, a computer security research firm:


"The way [it] works is that [the bad guy] binds the letter "a" to an action that causes the browser to silently issue a request for
Pressing "b" would trigger the browser to silently issue a request for
By "silently" I mean that there's no visual cues to the user that anything is happening--if you were monitoring the network you would see the requests. As long as the attacker controls evil.com and can access the web server logs, he can piece together what the victim is typing, one character at a time.

Eng noted that this kind of problem always erupts whenever new standards are rolled out, especially with "extremely detailed and sometimes difficult to understand" attributes. You don't have to go far to find evidence of this, either. Both Mozilla and Google offer hefty bounties for bug-hunters. Eng both cautioned against screaming that the sky was falling and said that this kind of attack was inherently more interesting to researchers.


A representative at Opera Inc., which has made the Opera browser since the 1990s, agreed that new specifications shouldn't necessarily be a threat to Web browsing.


"Standard organizations and Opera are continuously adding new ways of creating web content, and as the possible code paths increase, so will the possible attack surface of any web browser. Fortunately, new specifications normally consider any security or privacy issues up front," said Sigbjorn Vik, a core quality assurance tester at Opera, via e-mail. When asked about mobile versus desktops, he replied that as long as the technology used is the same, risks to mobile users are similar to those faced by desktop users.


As unlikely as Eng said it is for an average browser user to fall victim to these atypical and hard-to-implement attacks, Heiderich warned that it's not anomalous. "The SVG keylogger is just one example of many, and by far not the most impact ridden one," said Heiderich.


Another factor is that the major browser makers, including Google, Mozilla, Microsoft, Apple, and Opera, are all fairly responsive to fixing these threat vectors when discovered, said Grossman. But that doesn't mean that there aren't steps for the home user to take.


One way to minimize the risk from this kind of modern threat is to compartmentalize your risk, he said. "The best way [to protect yourself] is behavior, not product. Whether in Firefox, IE, or Chrome, I would use any one of the major browsers for secure browsing, such as banking or Facebook. For promiscuous browsing, such as news surfing, I use a different browser.


Eng concurred and said that there aren't many defenses against attacks that don't rely on JavaScript. "You usually have to just wait for the browser bugs to be fixed. So my options are more limited--either don't use that browser at all, use a completely separate browser for trusted sites versus untrusted ones, [or] stay off the Internet."


Originally posted at The Download Blog, By: Seth Rosenblatt



Link to comment
Share on other sites

There is a free add-on that works with Firefox, Internet Explorer and Flock called KeyScrambler Personal that will encrypt your keystrokes while typing. So if you are unfortunate enough to get infected with a keylogger (let's hope this doesn't happen) the bad guys will still be unable to read your keystrokes. It will look like a bunch of unreadable gibberish to them! An important security consideration if you do on-line banking and/or shopping. I recommend and have used this add-on with Firefox and IE for years as an added measure of security. Regards, Ritchie...

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...