CSS Keylogger - old is new again 

That reminds me a lot about how they made it so in JS you can't detect the colour of a link, since websites could put hidden links to their competitors and check if they were purple in order to see if the user visited their competitor's site...

Amazing! Never heard of CSS attacks.

Netscape: Javascript is automatically disabled, people are secure Hacker: **hacks via CSS** Netscape: WAIT THAT'S ILLEGAL Hacker: always has been 🔫

"Why is it hard to make friends over 30"

I fucking love this channel !

I've never heard of CSS being used as an attack. I have to say as primitive as it is, it's pretty damn clever.

When this video came up i first seen CSS and thought it was Counter Strike Source.... Then i saw it was your channel and i felt like a idiot... hahahahah

If this blew your mind. Did you actually know, that HTML5 and CSS3 together are turing complete? Someone implemented Rule 110 with it 😵

This can be used to deanonymize users of tor. It also is why you should use the tell browser and why it tells you not to change the browser windows dimensions. I'm not sure why you are saying it can't as it definitely can. Maybe you are misunderstanding what they mean about Deanonymization in this context is just being able to distinguish two users from each other in a somewhat persistent way.

I was just thinking you should make a video about this and... you didn't take long to do it!

But how is this relevant? wouldn't the effort of injecting a CSS code into a browser is the same as injecting JS codes?

Weird that the re-research guy didn't simply Google- search for CSS- keylogger programs before starting his little project.

I got a 45 min ad?!

how to insert this css into other's html, that is a question if you have access to the css, you can just use js to get the values

I've heard of CSS being a delivery mechanism for XSS, but this definitely new and interesting to me, although its now a decade old.

CSS keylogging isn’t new (2009 slideplayer.com/slide/3493669/) but the reason the github repo exploded is because it applies it to REACT apps.

Cross Site Styling "Other XSS" can get dangerous, but the main attack vector is that it can be abused to mask injected HTML to look like legit content of the website, and can carry out pretty effective phishing attacks.

I though css is just for styling script for html, and this attack is really break my tough about css :v

thats actually quite cool

btw someone should mention that there actually is a pretty serious attack vector for this kind of threat: userchrome files. a huge number of people use extensions like Stylish and download custom stylesheets, often without even checking the code. and even for the people who do check the code, you can obfuscate important details by encoding them in base64, and by minimizing control characters, shit like that. i wonder if there's even a way to encode the entire malicious part in base64 and find some way to store it that it'll still be read. isn't really my area of expertise but i know you can do that shit in js easily. there are websites that host these stylesheets. i haven't used stylish but i don't think it has any form of protection against remote resources. otherwise you'd need to locally store any additional icons. compared to the custom script sites that are available, the css websites are really fuckin sketchy. which makes sense, css seems so much easier to trust. and no doubt you could do a lot more by uploading a malicious custom script and hope that people install it to tampermonkey, but if you do a malicious stylesheet it's a lot less likely to get caught. i use firefox so the stylesheets i've made are just loaded instantly by the browser and i don't have any need for stylish, but my wikipedia stylesheet is impressive enough to share on one of those sites. i haven't shared it since i originally took it from an existing but defunct stylesheet, but i improved it massively and in my opinion it's the best 'wikipedia dark mode' stylesheet available on any of the custom stylesheet websites, by a long margin. if i wanted to i could upload it, and sneak this into it, and i think it'd be super popular until someone eventually found the poison. i don't think many people would notice in time because it's over 3,000 lines and it just looks so pretty. and that's before making any kind of effort to obfuscate it. like you would add a ton of pointless properties that just restate the initial value. make it so long that looking through it is too daunting to bother with. make it huge. honestly if this was the goal, it should be a browser-wide dark mode. like dark reader. of course dark reader uses js to work its magic, but in this case we advertise it as being very effective for a small number of major websites (google, youtube, wikipedia, amazon, facebook, etc.) and moderately effective for most other websites. therefore we can make it a stylesheet with no document selector. like the problem with the wikipedia stylesheet is it's not a more effective vector than your example of just happening upon some remote injection exploit on a specific website. if you make a good enough cross-website stylesheet then you have an excuse to make it apply to EVERY website. and there's no reason to use a [type="password"] selector either, just steal everything. all user inputs. not just textboxes but checkboxes, radio buttons, any interactable legacy element. better yet, start the stylesheet off without any malicious content. make it popular and give it its own website that you link to on the stylesheet websites. there are others like that already. then when people navigate to your website, they see a post on the website that says you're expanding the stylesheet to apply to the *entire* browser. so not just the content but the browser UI. which requires more than an extension, they need to make a config tweak and download the modifications directly and put it in their profile folder. so now you have a userchrome.css that records all inputs into the browser UI, including any interactions (possibly even non-interacted text displays?) with password managers like keepass, bitwarden, etc. and you have a usercontent.css that records most inputs into websites. and even worse, i'm not sure about google chrome but for firefox users, you can fill in all the gaps with userchromeJS. there's an exploit that allows basically arbitrary XBL bindings in css sheets. which means you can install and run scripts locally, during startup and before any extensions load. so the whole package is userchrome.css, usercontent.css, userchrome.js, userchrome.xml. and you use the script to log inputs in elements that aren't implemented using regular html objects. basically you can log interactions with more advanced objects, and then do whatever else you want to do with javascript, which is going to be even less comprehensible to the average user. maybe there's some way to steal data from password managers, that kind of thing. it seems like a pretty underestimated threat. but it doesn't even have to be that advanced to do real damage. even without the js, a userchrome.css file can still steal someone's email and password as they log into their password manager. then if they don't have 2fa you would steal all their accounts. even without the userchrome.css file, a cross-website stylesheet for an extension like stylish can still steal someone's paypal login, bank login, etc. it sounds weird because we don't hear about this ever, but there seem to be no countermeasures in place. this must be already happening. i know plenty of people have uploaded malicious scripts to websites like userscripts and openuserjs. i think the explanation for css skins being a less common vector is probably that most people are simply unaware that a worthwhile malicious attack even exists within pure css. i had never heard of this until now and it never occurred to me even though i use attribute selectors all the time lol. it's pretty clever, just not intuitive that you'd write a binary switch for every character or character combination. it's kind of like building a digital keyboard in pure css lol.

Additionally it shows a great POC using chrome extensions as CSS injector which is less common to vet compared to malicious JS injection

I subbed because of your paint skills.

I fucking love this channel !

GREAT Video, well explained and intresting moderation! Keep it goin' sir :D

4:22 David's profile reads "Infinity" when interpreted as JSfuck. I was about to put it in a BF interpreter but quickly realized it has a lot of infinite loops. So it's 2 ways to say Infinity while saying fuck, lol

Lol. Why the fuck am I here? The extent of my programming knowledge is the first few chapters of "head first learning; python" textbook. Lolz

I know english is not your first language, but you mispronounce interpret in every video, just pointing it out for you - love the content either way!

Lol. As you say in your presentation: the title is misleading. This is why I also immediately cliked on your video title 😉

How do you inject the malicious css though?

I still don't get why this is a "realistic" security issue. You can only use this kind of stuff if you have already access to a website (via xss etc.). And if you have access to a website you can do a lot more/dangerous stuff than using a css keylogger... every js solution would be better. Doenst matter if 1 out of 10000 visitors uses a js blocker...

finally something I can understand...

Can someone guide me little bit I am a noob stumbled upon this video now hung up on it

You should do my schools ctf. its at ctf.tamu.edu Even though the competition ends today I believe the challenges will still be up. It would be very interesting to see your take on them.

5:27 is it really hard to make friends at over 30?

"History Repeats itself" - Someone

counter strike source keylogger wtf how

Couldn't you combine this with css variables and then capture the actual password?

how would you "remove this vulnerability" without eliminating either the attribute selector or the background property? wouldn't be a very useful css version lol

"Fuck! Browsers are weird."

This is definitely still valid need to know knowledge today even if just as a testament that all user IO needs to be cleaned and validated! Especially things inputted through form fields people! Imagine a bookmarklet that injects this the keylogger on to your page. Know imagine the bookmarklet link disguised as a link to a valid resource!!! Recipe for disaster *nods head in disbelief*

Not believe it? Hold non-logging.

I think to a typical user, losing their password privacy is actually a big deal, so if this can keylog a password, that's not a small problem.

I went back to 2012 and the video disappeared like Marty McFly in his photo. I came back to finish the video.

I'm a new subscrito to your channel and I must say that I'm stunned by your videos. I'm not a hacker/programmer myself, but I'm really interested in that stuff and I want to learn "it" over the next years. My question to you would be "How old were you when you started programming?" and "How many programming languages do you speak?" and "How long did it take to get this profound knowledge of things to work with?" The last question is kinda cheesy, because you never stop learning, but I mean, how long did it take to get all most of the necessary meta-knowledge that led to the first "Aha!" moments you had during hacking/reverse engineering? I'm a big fan of your work. Keep it up! Greets from a fellow German :D (Your accent is hard to miss^^)

Basically any forum messageboard site that displays user content while the viewer is logging in is vulnerable.

reminds me of :visited pseudo along with javascript to escape browser history information

i dont understand anything about computer science, but there is something enjoyable watching your videos lol

Didn't know that it was already discovered, but I found this attack at the beginning good, but after 10 min of research it wasn't good than I understood, and so the title is for smth

One could argue that hosting CSS files on a "untrusted" CDN is not a big deal, compared to hosting JS on a untrusted CDN. If one hijacks the CDN, they could implement this, no?

In 2014 I also came across this thing but I ignored it. But now I'm interested because of you. 😊

Well, CSS is nowadays almost Turing complete, so...

alert("dang youtube xss?")

I found a exploit and found out that's how fishing scams work

LETS GO BACK 1997 ....

I have seen it loong time ago w/ using font ligatures so you are not abaddoned in this surprise :)

sirdarckcat, I think it's pronounced "Sir Dark Cat"

0:54 here I am a complete noob still watching live overflow!

okey can you plz make a keylooger with html pleaze plz plz ....

Have any browser prevent this in recent versions ? if anyone knows

What's up with the 'so handsome' mini pop-ups?😂😂

Very old, its funny 😄 if you don't know About it HHH

How to solve ( current read-only problem ) for usb

You know... I'm entirely new to the topic... and I really don't know anything about what this channel is all about, so.... where do I start? ^^ Any suggestions as to where I can start learning about programming and hacking overall? :3

This reminds me a lot of the css code that shuts down iPhones.

Second! Sick video. Have never heard about it tho

Не понятно, че делать то с этим. Как загружать жертве, только через плугин браузера?

Awesome channel

It doesn't even work unless your js is actively changing the value attribute on every input. Some other guy also reported that each character would only get registered once.

so handsome

Im stuck on starting Yarn. How do I open it ?

Nice overview and breakdown. And thank you for highlighting the earlier research. :)

awesome video. I work with selectors every day and I've never thougth of this!

Great video

dope idea

Bist du deutsch???

the moment selecting stuff via n letter becomes possible, is the moment a ton of sites will have keyloggers appear out of thin air

Nice

I don’t understand how anyone could possibly exploit my web app with this?

Myspace would have been fun.

but you chose to use it in your video title anyway

Deutsche und englisch. Ich find es erstaunlich wie schnell man es hört :D nichts gegen dich :)

Agreed this isn't a keylogger.

And I learned about it trough this video.

Berlinsides! I was making music there lol

Not quite sure how this CSS keylogger would be advantegeous over an JS Keylogger. 1. It's a lot more work, and a lot less reliable as you, for example, cant detect backspaces. 2. It will generate A LOT more requests in a browser, thus making it a lot easier for console users to detect something fishy going on (Aside of the large amount of requests, just loading this huge list of CSS rules will impact the site loading performance as well, which surely also will be noticed. 3. Are there really people who disable JavaScript? And if so, what percentage are we looking at, especially depending on the website, since most require JS to work if you dont want the website to lose most of its functionality.

You Sir are wise :) thanks for reminding this

Didn't Mattias (from Opera) give a talk on like 10 obscure things he had learned about CSS and this was one of them prior to the talk you referenced?

Great content as usual man, love your channel. Totally off-topic question, but what do you use for your pen/pencil/drawing overlay graphics when you make your videos? I have some video tutorials for a couple friends that involve a lot of math that would be much easier to write into than use some kind of equation formatter.

CSS is a Turing complete language. you could rewrite metasploit in CSS, you could write a C comiler in CSS, you get the idea

I wonder why there is no "this site uses CSS" notification on every website out there ... Please make it more popular! We need more "news" on every page!

It’s not about who did it first...

Great idea! Rediscover old xss hacks, have everyone download your chrome plugin. Its not like you couldnt just put a keylogger in the plugin right?

Why was is not fixed years ago

Great video bro, never heard of css attack!

creative is hack born to dare

Setting the background of a an input selector isn't keylogging btw

can you have an HTML key logger in an extension so it works for all pages?

How did you get the thumbnail for this video to autoplay in my feed?

I had once been very interested in hacking/Cyber Security but never pursued the interest for lack of experience and the vastness of the field. However, now that I am graduating with a CSCI degree and have some experience in various programming languages this is a lot more feasible. The only reason that this was even brought to my attention was your incredibly informative videos. I am now considering a career path in the field and even a masters degree. This is all thanks to your hard work. I really appreciate what you do. Keep kickin ass!

Counter strike sorce :D