monitoring user input in javascript

[bwanaaa]

Is it possible to have a javascript monitor the text input by a user to all browser windows that are open?
From this, it seems not:
http://docstore.mik.ua/orelly/webprog/jscript/ch13_11.htm

if the 'monitoring window' is spawned by the parent, then I suppose you could capture the text being typed in the parent. How could I know if this is happening?

 

[Markbnj]

Well, something like that ought to be possible if you walk the DOM and add event handlers to all the editable elements. Easy to do this with JQuery.

 

[Leros]

Do you want to log every keystroke and mouseclick for YOUR website? You can definitely do this. The place I work at now has done this at some points for testing purposes.

But it sounds like you want your website to log input on all other websites open in the browser, which I'm pretty sure you can't do.

 

[sourceninja]

Do you want to log every keystroke and mouseclick for YOUR website? You can definitely do this. The place I work at now has done this at some points for testing purposes.

But it sounds like you want your website to log input on all other websites open in the browser, which I'm pretty sure you can't do.

Not only that, but pretty damn unethical if you could.

 

[Cogman]

Not only that, but pretty damn unethical if you could.

agreed. The inventors of Javascript were smart in the fact that they removed almost all ability of javascript to modify or modify stuff outside of the browser.

 

[Leros]

agreed. The inventors of Javascript were smart in the fact that they removed almost all ability of javascript to modify or modify stuff outside of the browser.

And browsers do a pretty good job of keeping tabs isolated (separate processes, security levels, etc).

 

[bwanaaa]

because something is unethical, does not mean you don't have to think about it and guard against it. javascript can log all text entry occurring in the window/frame that calls the logging script. javascript can also log all the text of any parent window that spawned a window that called the logging javascript. however, i dont think javascript can log text of independent windows/frames/tabs that did not call it.
i am just not sure of this fact so i ask.


remember, buffer overflows were never considered a security loophole back in the day-

 

[Cogman]

because something is unethical, does not mean you don't have to think about it and guard against it. javascript can log all text entry occurring in the window/frame that calls the logging script. javascript can also log all the text of any parent window that spawned a window that called the logging javascript. however, i dont think javascript can log text of independent windows/frames/tabs that did not call it.
i am just not sure of this fact so i ask.

Strictly following the standard, Javascript cannot harm your computer. That doesn't mean that there can't be hole in javascript, just that by sticking to the standard it can't be exploited.

remember, buffer overflows were never considered a security loophole back in the day-

No, back in the day buffer overflows have ALWAYS been seen as security loopholes. The only people that considered them to not be security holes were those that weren't trained in security.

Back in the day, people didn't care about buffer overflows not because they didn't represent a risk, but because computers were big expensive devices they had rigorously monitored and controlled input from their users. They could trust their users because they could easily track them down if they did anything malicious. Think about it, you feed in your cards, all the sudden the computer stops working correctly. Hmmm, who could have done this?

 

[Markbnj]

Not only that, but pretty damn unethical if you could.

Yeah... "all browser windows that are open" ... I didn't stop to think about what he was asking. Not necessarily unethical. Depends on context. Inside a corporate environment this would be considered heavy handed, but not unethical.

 

[bwanaaa]

macro viruses (like those in pdfs and word docs) are the current biggest malware. javascript is probably what powers those phising websites - but that relies on the user being tricked into visiting them

i can see a javascript distributed dos..temporarily converting your browser window into part of a botnet. but instead of being a 24/7 existence(like a virus running on the OS), it only lasts as long as the window. though it may be brief, the billions of windows would add up to a problem. I could imagine a spammer offering coupons, the subject visits the site to get the coupon, and a bit of javascript hammers away at the target website in the background while the subject reads about the places and times the coupon is valid (which is all irrelevant because it's a fake mcdonald's or domino's coupon in the first place)