Browser Event Hijacking

By: Ben Toews

TL;DR: preventDefault can be bad

In playing with the preventDefault method on JavaScript events, it occured to me that one can easily hijack events that should get passed through to the browser. The example that I will be discussing here is the ctrl+f or ⌘+f combination. This ubiquitous key combination results in a search box of some type being displayed to the user. With browser and OS key bindings, there is a user expectation of continuity. We are conditioned as users to expect that pressing these key combinations will have a certain effect. The interruption of this continuity can have security implications.

In the example hosted here, a list of information that a user might be tempted to search through is presented. JavaScript on the page hijacks the ctrl+f and ⌘+f combinations, presenting a search box that is nearly identical to the browser search box users would see running Google Chrome on OSX. While normally, JavaScript wouldn’t have access to the contents of the search box, the fake search box is obviously accessible to the malicious site.

Fake Browser Search Bar

Fake Browser Search Bar

Real Browser Search Bar (Google Chrome on OSX)

Real Browser Search Bar (Google Chrome on OSX)

The ability of a malicious site to interrupt the expected continuity of user interaction with a web browser constitutes a breach of user trust on the part of the web browser. Because the user trusts that this key combination will trigger a browser event, they will trust the search bar presented by the site and interact with it as they would with the browser. Other key combinations could be similarly attacked. For example, ctrl+s/⌘+s or ctrl+o/⌘+o could be hijacked and could display a fake dialog claiming that the user’s password is required for file-system access. Specific attack scenarios aside, it is problematic to have ambiguity about the boundaries between browser and web app. More generally, a lower trust component should not have the ability to affect the behavior of a higher trust component.

This page in probably won’t be convincing for users of different operating systems or browsers, but with a bit more effort, the script could detect browser and OS and display an appropriate search box. It could also easily emulate other browser behavior like highlighting entered text or scrolling around the page.

What is the solution, though? There are a few solutions that come to mind:

  1. Place the browser search box in a part of the browser that could not be confused with website content.
  2. Warn the user when a site attempts to call preventDefault on an event that is registered as a browser key binding.

I raised this issue to the Chrome team and it was labeled as a low-priority issue. I’m not sure that I disagree with that analysis, but I do think that this is an issue that should be considered.

24 thoughts on “Browser Event Hijacking

  1. This is a great trick!

  2. Very simple and in same time interesting case!

  3. Sigh…. Nice to see another way that your information can be leaked

    & to mke it a high priority issue.. have it show up in the “wild”

  4. Pingback: How script kiddies can hijack your browser to steal your password |

  5. Pingback: How script kiddies can hijack your browser to steal your passwordQuick iPhone Apps | Quick iPhone Apps

  6. Pingback: Malafide site kaapt zoekfunctie via JavaScript | Tech-nieuws

  7. Indeed a simple but effective tric.

    I wonder, if you’d do this with the Chrome Extension manager, how many people would be tricked in installing a malicious addon?

  8. Could this be used to hijack the browser menu commands as well? In your example CTRL+F brings up the “fake” search box, but choosing the “Find” command from the menu in Chrome does not.

    • No. Ctrl-F is a keyboard-shortcut to trigger the “Find” functionality normally started by clicking on the menu item, where as clicking on the menu item das not trigger the “Ctrl-F” keyboard event on the website.
      The website can capture “Ctrl-F” because it can capture keyboard events, and then can prevent that that same keyboard event is passed on to the browser application itself – it’s that last step, the prevention of the passing-on, that gives authority to the input box opened by the javascript, because the browser-provided input field doesn’t appear at all.

  9. Pingback: » Atak, który wykradnie Twoje hasło do każdego konta… -- --

  10. Good idea, if you read the Browser information, you can fake any browser.

    When I think about it, can a webside read your Firefox “Persona”? If not, everyone who is using a Persona in Firefox, will notice the difference of colours and background.

    One good thing: Does not work with noscript active 😀

  11. Pingback: Passwörter klauen mit preventDefault() | Klaus Ahrens: News, Tipps, Tricks und Fotos

  12. Pingback: Security Issues with Browser Search Box | Life As I Know It

  13. Pingback: News Atak, który wykradnie Twoje hasło do każdego konta…

  14. Pingback: Blogger demonstrieren gewieften Passwortklau | – News Blog aus vielen Bereichen

  15. Pingback: Ευπάθεια στους Browsers επιτρέπει την υποκλοπή κωδικών πρόσβασης

  16. Pingback: Οι πλέον χρησιμοποιούμενες τεχνικές hacking ιστοσελίδων για το 2012

  17. Pingback: Top Ten Web Hacking Techniques of 2012 - D0znpp blog

  18. Pingback: Top Ten Web Hacking Techniques of 2012 | Phong Tử Blog - Cuộc Đời Lắm Gian Nan!

  19. Pingback: CRONICAS DE UN HACKER… Las 10 mejores técnicas de hacking web en el 2012 | Factor Noticia

  20. Excellent little trick, thanks.

  21. Pingback: Anonymous

  22. Pingback: Hacking for Beginners- Top Website Hacks « DECISION STATS

  23. Pingback: Huppla Hijack a browser event – sweet and simple

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s