I already have your keystrokes. The fact that you never clicked submit on my phishing form doesn't matter one jot. To any web developers out there, the fact that any webpage you have open and are using (i.e. it's your active window) has essentially unrestricted access to monitor your keyboard and mouse activity will come as no surprise, but I delivered a demonstration a few weeks ago with my colleague Alexander Markov to a non-technical audience who were very surprised about this indeed.

Every Webpage is Potentially a Diet Keylogger

You've probably heard of keylogging software. Usually surreptitiously installed on your machine, these programs make note of every button you press on your keyboard (and potentially any movements you make with your mouse) and deliver this data into the hands of another.

If the person that built the website wills it, every single webpage you visit is a keylogger. As soon as you make that webpage your active window, consider it to be recording every button you press and every movement your mouse makes, when you switch applications/tabs to do something else, consider it to have stopped (usually, unless something is very very wrong with your browser).

For the demonstration, we spoofed (mimicked) a "confirm your details" form and crafted a URL (web address) to inject this form into the legitimate login process for a website many people use on a day-to-day basis. I stood in front of the room, while everyone watched my colleague type a username and password (which, of course, appeared as **** in the text field) and held up my phone, which was being updated with the contents of both fields in plain text and in real time. Many audience members did a double-take.

creds-behind-the-scenes

"What do you mean you know my password already? I never clicked submit! Everything stays on my machine until then surely!"

No, it doesn't. JavaScript can send requests and receive responses completely silently in the background, or even open up a direct connection to the server to relay information in real time (WebSockets).

"But my password is just stars! Surely you can't see it..."

The computer needs to know your password at some stage. The password needs to be sent to the server in some form or another to be checked for validity. Those stars are there so that people can't peek at your screen, and what lies behind them is always visible to the website you're typing on, at any time.

"This is an advanced attack. Surely I/my small business would never be singled out for something like this."

This isn't a hard thing to build. Not at all. Anyone with a little bit of knowledge of JavaScript and a few tools to spoof a legitimate website's look and feel can throw something like this together.

Well... Yeah?

Is probably what you're saying to yourself right now if you're a technical person, or especially if you're a web developer who writes this kind of code all the time. This is something I'm guilty of myself, how do people not know these things? Then I remind myself that it's for the same reason I don't have the faintest clue how a boiler works, and I need to call someone who does when mine breaks down. The difference is that my boiler, unlike my smartphone or PC, isn't wired in to every facet of my life.

I can't handle banking, correspondance, shopping, or business through my boiler, but I can do all of those things and much much more using my phone or my computer. I feel like sometimes we could do a better job of reaching out and getting this stuff across.