How script kiddies can hijack your browser to steal your password

A demonstration showing a site that hijacks a browsers search function and intercepts the contents.

Be careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.

The hack has been possible for years, but two proofs of concept published this month graphically demonstrate just how easy it is for even savvy people to fall for it. Both demonstrations use JavaScript to hijack the search command found in all standard browsers. The script is activated when a user presses the ctrl+f or ⌘+f keys, causing whatever is typed after that to be sent to a server under the control of the website operator rather than to the browser's search box.

Proofs of concept here and here show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included.

Read 7 remaining paragraphs | Comments