Re: Re: Citi-Bank Virtual Keyboard (is useless)

[mike () sharecube com]

C# keyloggers

Let's differentiate the issues here. The original post described an exploit against HTML forms. The exploit could work 
against IE using COM or against Firefox and other browsers using Javascript injection. That hasn't changed.

Your request is for me to provide a keylogger that can break a C# desktop app using Window controls with some unknown 
and undescribed "EXTRA security features."

Getting all of the data off of a C# based Windows form is easy, even if an attacker does not know the button value. If 
it's in a field, it can be retrieved. 

Windows prevents getting text from a password field through another process, but this problem can be overcome. My 
standard security presentation demonstrates this fact.

I cannot comment on the extra security features as I do not know what they are. 

Given an opportunity to invade a box (a requiremenmt for installing a keylogger), I can demonstrate stealing a user 
accounts/password in a number of ways, even when passwords are sent using SSL (http://).

Mike Podanoffsky
www.sharecube.com