Keyboard and Mouse Sniffing using Javascript

Keyboard and Mouse Sniffing using Javascript


A few weeks ago I found an interesting article on Twitter via @h43z. He created a password list where you can "search" for your own password. Probably you would use Strg+F to start the search. Using JavaScript the website will catch your input and block the default process. Instead the website will create a fake search bar, where you may enter your password to see if it is contained in the list. Several fake results are generated, so the user will continue to enter the whole password. The password could then be sent to the server. Here is the link.

I wondered how far this could go and decided to generate a "test website" which catches all input, displays it on the screen and trys to block the default process. Here is the result, where you can try by your own: here.

Result: using Firefox 17 on Linux Mint with xfce:

Catched means, that using JavaScript you could fetch the input and send it to a server. Blocked means, that the input can be blocked using JavaScript and the default action will not be executed (e.g. Search).

To interpret this, the website can not only monitor the actions of the user (e.g. where the user moves the mouse, keyboard inputs, ...). The website can also block several actions. The user can not reload the page (F5), escape fullscreen (Esc, F11), start the "real" search (Strg+F) or the real history (Strg+H), cannot go back to the last page (Backspace), block the default help (F1) and do some other stuff instead.

The possibilities are very dangerous, even or especially for computer experts that use shortcuts! Be carefull out there and block JavaScript if you do not need it!

Update (29.12.2012): When the browser is in fullscreen mode, the F11-Key can be blocked, but the Esc key will pass through and exit fullscreen mode. Also using Firefox the user is asked if the user wants to enter fullscreen mode if you do this automatically.