- Edited
Hello,
I have been looking into keyloggers, and making some scary discoveries.
On Linux
For any X11 apps - that is still most graphical apps - it's really easy. Proof of concept:
In a terminal emulator, type 'xinput', and find the id for your keyboard. Then type "xinput test <id>" (replace <id> with the right number - you might have to do several tries).
Now go to any other app (Firefox, whatever) and type something. Even a password in another terminal window, you will see all your keystrokes appear. Basically any graphical app (X11 client) can listen to all keystrokes. Thankfully X11 is to be replaced by Wayland, which does not have this vulnerability. However we're not there yet.
On OSX
I found this:
https://www.npmjs.com/package/osx-keylogger
If you have node installed, it's easy to set up. Just install the module, then create a javascript script by pasting the short example code. You might have to replace "swedish.json" with the correct path, depending where the swedish.json file is in relation to your example script. I had to replace it with 'node_modules/osx-keylogger/swedish.json'. Then just run that script, for example "node example.js".
Again, it will catch any keystrokes that I type in another window (such as Firefox).
I tested it on OSX 10.11.6, and it launched without requesting any permissions or any warning.
It would not capture passwords in Firefox, Safari, and also OSX password prompts (when requesting administrative access). However it did capture passwords fields in HTML forms in Chrome. And of course it did capture other information such as username and anything that I was typing, which was not protected.
So there is a security feature in OSX, to block keyloggers when entering passwords, but Chrome (63.0.3239.132) is not making use of it.
I would like anyone, if possible to please confirm the OSX test, on a newer version of OSX.
On Windows
I haven't done any tests on Windows. Some researching left me with the impression that it's more complicated to do this on modern versions of Windows without triggering any sort of warning or confirmation, due to various safeguards that were added.
The implications of such vulnerabilities are worrying. It means that any software that we download on the internet could possibly have malicious code to silently capture sensitive information and send them to someone.
I have been looking into keyloggers, and making some scary discoveries.
On Linux
For any X11 apps - that is still most graphical apps - it's really easy. Proof of concept:
In a terminal emulator, type 'xinput', and find the id for your keyboard. Then type "xinput test <id>" (replace <id> with the right number - you might have to do several tries).
Now go to any other app (Firefox, whatever) and type something. Even a password in another terminal window, you will see all your keystrokes appear. Basically any graphical app (X11 client) can listen to all keystrokes. Thankfully X11 is to be replaced by Wayland, which does not have this vulnerability. However we're not there yet.
On OSX
I found this:
https://www.npmjs.com/package/osx-keylogger
If you have node installed, it's easy to set up. Just install the module, then create a javascript script by pasting the short example code. You might have to replace "swedish.json" with the correct path, depending where the swedish.json file is in relation to your example script. I had to replace it with 'node_modules/osx-keylogger/swedish.json'. Then just run that script, for example "node example.js".
Again, it will catch any keystrokes that I type in another window (such as Firefox).
I tested it on OSX 10.11.6, and it launched without requesting any permissions or any warning.
It would not capture passwords in Firefox, Safari, and also OSX password prompts (when requesting administrative access). However it did capture passwords fields in HTML forms in Chrome. And of course it did capture other information such as username and anything that I was typing, which was not protected.
So there is a security feature in OSX, to block keyloggers when entering passwords, but Chrome (63.0.3239.132) is not making use of it.
I would like anyone, if possible to please confirm the OSX test, on a newer version of OSX.
On Windows
I haven't done any tests on Windows. Some researching left me with the impression that it's more complicated to do this on modern versions of Windows without triggering any sort of warning or confirmation, due to various safeguards that were added.
The implications of such vulnerabilities are worrying. It means that any software that we download on the internet could possibly have malicious code to silently capture sensitive information and send them to someone.