CSS Keylogger - old is new again

That reminds me a lot about how they made it so in JS you can't detect the colour of a link, since websites could put hidden links to their competitors and check if they were purple in order to see if the user visited their competitor's site...

tomysshadow

Netscape: Javascript is automatically disabled, people are secure
Hacker: **hacks via CSS**
Netscape: WAIT THAT'S ILLEGAL
Hacker: always has been 🔫

KangJangkrik

"Why is it hard to make friends over 30"

kenonerboy

I've never heard of CSS being used as an attack. I have to say as primitive as it is, it's pretty damn clever.

VworksArt

I was just thinking you should make a video about this and... you didn't take long to do it!

_pi

I've heard of CSS being a delivery mechanism for XSS, but this definitely new and interesting to me, although its now a decade old.

DSAhmed

Cross Site Styling "Other XSS" can get dangerous, but the main attack vector is that it can be abused to mask injected HTML to look like legit content of the website, and can carry out pretty effective phishing attacks.

mariustancredi

This can be used to deanonymize users of tor. It also is why you should use the tell browser and why it tells you not to change the browser windows dimensions.
I'm not sure why you are saying it can't as it definitely can. Maybe you are misunderstanding what they mean about Deanonymization in this context is just being able to distinguish two users from each other in a somewhat persistent way.

gyroninjamodder

If this blew your mind. Did you actually know, that HTML5 and CSS3 together are turing complete?
Someone implemented Rule 110 with it 😵

BackfighterO

Additionally it shows a great POC using chrome extensions as CSS injector which is less common to vet compared to malicious JS injection

attention_shopping

I had once been very interested in hacking/Cyber Security but never pursued the interest for lack of experience and the vastness of the field. However, now that I am graduating with a CSCI degree and have some experience in various programming languages this is a lot more feasible. The only reason that this was even brought to my attention was your incredibly informative videos. I am now considering a career path in the field and even a masters degree. This is all thanks to your hard work. I really appreciate what you do. Keep kickin ass!

natesamuelson

Weird that the re-research guy didn't simply Google- search for CSS- keylogger programs before starting his little project.

tatusaalasti

Nice overview and breakdown. And thank you for highlighting the earlier research. :)

thornmaker

GREAT Video, well explained and intresting moderation! Keep it goin' sir :D

testobjektx

how to insert this css into other's html, that is a question
if you have access to the css, you can just use js to get the values

jw

When this video came up i first seen CSS and thought it was Counter Strike Source.... Then i saw it was your channel and i felt like a idiot... hahahahah

GeorgeAlexanderTrebek

I subbed because of your paint skills.

maxautism

In 2014 I also came across this thing but I ignored it. But now I'm interested because of you. 😊

shivamchhapola

I'm a new subscrito to your channel and I must say that I'm stunned by your videos. I'm not a hacker/programmer myself, but I'm really interested in that stuff and I want to learn "it" over the next years.
My question to you would be "How old were you when you started programming?" and "How many programming languages do you speak?" and "How long did it take to get this profound knowledge of things to work with?"
The last question is kinda cheesy, because you never stop learning, but I mean, how long did it take to get all most of the necessary meta-knowledge that led to the first "Aha!" moments you had during hacking/reverse engineering?

I'm a big fan of your work. Keep it up!
Greets from a fellow German :D (Your accent is hard to miss^^)

Likwise

But how is this relevant? wouldn't the effort of injecting a CSS code into a browser is the same as injecting JS codes?

dr.z