WebApp Sec mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: F Lace <flace9 () gmail com>
Date: Mon, 15 Aug 2005 11:31:56 +0530
Apologies for posting on the topic without going through the PoC in detail, as I was in a hurry.. I have now gone through the Poc and I have the following comment: The Poc doesnt include the implementation details, so my response is based on my guess on the implementation and again may not be very correct - advance apologies for that :) A true keyboard logger is one that logs the keys as they are typed. This itself is not enough in providing security to the keys typed - so a quick transformation of the keystrokes to another format that is more secure(eg., MD5-ing if possible) is highly desirable for storage in memory and also for transmission. If the PoC is obtaining the IPIN from the HTML through some IE tricks, then that may not be sufficient to get the password from the sites(login.yahoo.com) that encrypt the password before sending across. So I am curious to know if the concept in PoC can obtain passwords from sites that encrypt it before sending out, and also if the concept in PoC is IE specific or can be extended to Firefox too(ie., does it exploit IE or Windows)? Thanks!
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Message not available
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bipin Gautam (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 16)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 16)