Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Browser Event Hijacking. Show all posts

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.