I already have your keystrokes. The fact that you never clicked submit on my phishing form doesn't matter one jot. To any web developers out there, the fact that any webpage you have open and are using (i.e. it's your active window) has essentially unrestricted access to monitor your keyboard and mouse activity will come as no surprise, but I delivered a demonstration a few weeks ago with my colleague Alexander Markov to a non-technical audience who were very surprised about this indeed.

Every Webpage is Potentially a Diet Keylogger

You've probably heard of keylogging software. Usually surreptitiously installed on your machine, these programs make note of every button you press on your keyboard (and potentially any movements you make with your mouse) and deliver this data into the hands of another.

If the person that built the website wills it, every single webpage you visit is a keylogger. As soon as you make that webpage your active window, consider it to be recording every button you press and every movement your mouse makes, when you switch applications/tabs to do something else, consider it to have stopped (usually, unless something is very very wrong with your browser).

For the demonstration, we spoofed (mimicked) a "confirm your details" form and crafted a URL (web address) to inject this form into the legitimate login process for a website many people use on a day-to-day basis. I stood in front of the room, while everyone watched my colleague type a username and password (which, of course, appeared as **** in the text field) and held up my phone, which was being updated with the contents of both fields in plain text and in real time. Many audience members did a double-take.

creds-behind-the-scenes

"What do you mean you know my password already? I never clicked submit! Everything stays on my machine until then surely!"

No, it doesn't. JavaScript can send requests and receive responses completely silently in the background, or even open up a direct connection to the server to relay information in real time (WebSockets).

"But my password is just stars! Surely you can't see it..."

The computer needs to know your password at some stage. The password needs to be sent to the server in some form or another to be checked for validity. Those stars are there so that people can't peek at your screen, and what lies behind them is always visible to the website you're typing on, at any time.

"This is an advanced attack. Surely I/my small business would never be singled out for something like this."

This isn't a hard thing to build. Not at all. Anyone with a little bit of knowledge of JavaScript and a few tools to spoof a legitimate website's look and feel can throw something like this together in an afternoon. I kept an eye on the clock while we wrote this code, and it took on the order of 4 or 5 hours between us.

Well... Yeah?

Is probably what you're saying to yourself right now if you work in the field of computing, or especially if you're a web developer who writes this kind of code (minus the malicious intent) all the time. This is something I'm guilty of myself, and talks like the one I delivered a few weeks ago are enormously helpful for perspective; this type of thing is not yet mainstream knowledge. After I wrapped up my presentation and took questions, it was heartening to see how keen the vast majory of people are to know more. Questions like "How can I protect myself?", "What password management software would you recommend?" and sometimes even "I think this might have happened to me, what should I do?" show that we still have a long way to go towards making good digital security practice as natural as locking the door behind you when you leave the house.