by Dan Goodin - Dec 2, 2012 - arstechnica
Technique also works for any data entered into a browser's search boxBe careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.
The hack has been possible for years, but two proofs of concept published this month graphically demonstrate just how easy it is for even savvy people to fall for it. Both demonstrations use JavaScript to hijack the search command found in all standard browsers. The script is activated when a user presses the ctrl+f or ⌘+f keys, causing whatever is typed after that to be sent to a server under the control of the website operator rather than to the browser's search box.
Proofs of concept
here1l and
here2/url] show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included.
[url=http://ars.to/YnHweM]http://ars.to/YnHweMFrom here2 link mentioned above5442838276968722
5184648874871125
5181533372548511
5238184562311022
5438472198573752
5236872505615937
5418039915752201
5449745361309642
5321223898029482
5412554125007259
5442838276968722
5184648874871125
5181533372548511
5238184562311022
5438472198573752
5236872505615937
5418039915752201
5449745361309642
5321223898029482
See the Problem?
Upon seeing a list like this, its a fairly natural reaction to try to find your credit card number in the list. People assume that when they press ctrl+f in their browser they will be opening the browser's search bar. Because browsers allow JavaScript to trap control sequences, an attacker can present a fake search bar, tricking the user into entering his real creditcard number.
This is obviously only a proof of concept. I styled the search box to look like it does on OSX, but it would be trivial to detect the user's operating system and present them with a more apropriate search bar. Similarly, I don't replicate all of the search bar behaviour (such as actually searching the page). This too would be trivial to replicate. See bellow for screenshots of the fake search bar compared to the real search bar in my browser.
