|
WebApp Sec
mailing list archives
Re: Re: Citi-Bank Virtual Keyboard (is useless)
From: mike () sharecube com
Date: 14 Aug 2005 18:35:50 -0000
C# keyloggers
Let's differentiate the issues here. The original post described an exploit against HTML forms. The exploit could work
against IE using COM or against Firefox and other browsers using Javascript injection. That hasn't changed.
Your request is for me to provide a keylogger that can break a C# desktop app using Window controls with some unknown
and undescribed "EXTRA security features."
Getting all of the data off of a C# based Windows form is easy, even if an attacker does not know the button value. If
it's in a field, it can be retrieved.
Windows prevents getting text from a password field through another process, but this problem can be overcome. My
standard security presentation demonstrates this fact.
I cannot comment on the extra security features as I do not know what they are.
Given an opportunity to invade a box (a requiremenmt for installing a keylogger), I can demonstrate stealing a user
accounts/password in a number of ways, even when passwords are sent using SSL (http://).
Mike Podanoffsky
www.sharecube.com
 By Date 
By Thread
Current thread:
- Re: Citi-Bank Virtual Keyboard (is useless), (continued)
|
Intro
