How to conveniently run keyloggers in operating systems like iOS (but not Android); In this article, I’m describing and testing the “feature” that makes eavesdropping far easier.
The article is not to encourage illegal activities but rather to warn the general audience about serious flaws of current internet browsers, mainly on iOS and desktop devices.
We haven’t spotted such flaws on recent Android devices (browsers).
This article is made for our project in cybersecurity — A-Irene.com — enabling security and anomaly detection with a single line of code — as easy to setup as Google Analytics.
We are in a phase of testing our telemetry plugin — allowing our clients to spot bots, anomalies in traffic or imposters.
During the process, I’ve spotted numerous bizarre behaviors on behalf of browsers that shouldn’t really be allowed and have no explanation.
Let me explain.
Keylogging is an activity where a script or a device registers the keys you pressed or tapped on your keyboard with an intention of storing it or sending on a server.
It comes in many flavours — from diagnostics up to malicious codes, stealing your passwords, and eavesdropping your conversations.
The reason for this article is our concern about the state of security of modern browsers.
While collecting keystrokes for legitimate reasons is not a problem, keeping features that make keylogging plugin scripts much easier is a bad practice.
We have tested how limited — or unlimited — access scripts have to your keystrokes. In short — how easy it is to spy on you.
It turned out that Android protects users from this practice, by obscuring key codes (we don’t know which key was pressed). Browser extension, plugin or malicious script cannot access keycodes, it returns “undefined” which in this case makes us very happy. Only the event is recognized with no details on Android.
iOS is a different story — we can eavesdrop on all key actions, including password text fields from anywhere. It’s as easy as typing:
document.addEventListener(“keydown”,spy);
A single line of code is enough to eavesdrop on you. Then the “spy” function can collect all your activities. Pretty creepy I have to say.
The same behavior you can experience on desktop browsers. Both Windows and MacOS have failed our test.
There are few categories like website itself — including all scripts it’s using — but also 3rd party plugins (like google analytics, hotjar, facebook pixel, newrelic) and many other analytical tools.
Also all active at current moment browser extensions can record everything you type, including passwords. This one is really scary as we don’t always register what exactly is running at the moment and how it behaves long-term.
