WebApp Sec mailing list archives
Re: Re: Citi-Bank Virtual Keyboard (is useless)
From: mike () sharecube com
Date: 14 Aug 2005 18:35:50 -0000
C# keyloggers Let's differentiate the issues here. The original post described an exploit against HTML forms. The exploit could work against IE using COM or against Firefox and other browsers using Javascript injection. That hasn't changed. Your request is for me to provide a keylogger that can break a C# desktop app using Window controls with some unknown and undescribed "EXTRA security features." Getting all of the data off of a C# based Windows form is easy, even if an attacker does not know the button value. If it's in a field, it can be retrieved. Windows prevents getting text from a password field through another process, but this problem can be overcome. My standard security presentation demonstrates this fact. I cannot comment on the extra security features as I do not know what they are. Given an opportunity to invade a box (a requiremenmt for installing a keylogger), I can demonstrate stealing a user accounts/password in a number of ways, even when passwords are sent using SSL (http://). Mike Podanoffsky www.sharecube.com
Current thread:
- Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Neil Rowland (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Bipin Gautam (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Saqib Ali (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Cory Foy (Aug 15)
- Re: Citi-Bank Virtual Keyboard (is useless) Andre Ludwig (Aug 15)
- <Possible follow-ups>
- Re: Re: Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)