|
WebApp Sec
mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: F Lace <flace9 () gmail com>
Date: Mon, 15 Aug 2005 11:31:56 +0530
Apologies for posting on the topic without going through the PoC in
detail, as I was in a hurry.. I have now gone through the Poc and I
have the following comment:
The Poc doesnt include the implementation details, so my response is
based on my guess on the implementation and again may not be very
correct - advance apologies for that :)
A true keyboard logger is one that logs the keys as they are typed.
This itself is not enough in providing security to the keys typed - so
a quick transformation of the keystrokes to another format that is
more secure(eg., MD5-ing if possible) is highly desirable for storage
in memory and also for transmission. If the PoC is obtaining the IPIN
from the HTML through some IE tricks, then that may not be sufficient
to get the password from the sites(login.yahoo.com) that encrypt the
password before sending across.
So I am curious to know if the concept in PoC can obtain passwords
from sites that encrypt it before sending out, and also if the concept
in PoC is IE specific or can be extended to Firefox too(ie., does it
exploit IE or Windows)?
Thanks!
 By Date 
By Thread
Current thread:
- Re: Defeating Citi-Bank Virtual Keyboard Protection, (continued)
Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 16)
|
Intro
