jhogervorst
Less is more

A few days ago I found a huge vulnerability in Google Chrome for Mac. To-the-point it is possible to use a website as a keylogger, logging every pressed key as long as the website is opened! I found the vulnerability while I was playing a game in Chrome and chatting with a classmate. While I was typing text to my classmate, the game still responded to the keys I pressed! I researched this, and tested very much, and I can say that it is a huge privacy-leak.

Tip: see the updates down in the post, some things are already changed.

How Flash works

To understand everything, you need to know how Flash works. Inside Flash we got much things: pictures, scripts, movies and go on. But that’s not interesting. It’s about the interaction between the user and Flash. Normally interaction is only possible when Flash has the focus.

Focus

In a webpage only one object can have the focus. It could be a form field, a hyperlink, a Flash-object or something else. When an object had the focus, it is possible to let the user interact with it. In Flash, you could look at pressed keys by the user, like in a game.

When an object had the focus, and you click on another object, the first object loses the focus. That is just how it has to be: you cannot type in two form fields at the same time. And that is exactly the same with Flash-objects: you cannot both play a game and enter some text in an HTML-form field at the same time.

The problem

The focus is exactly the point where everything goes wrong. Flash keeps focussed in Chrome, even if something else got the focus! That could be in one page: you both have a focussed Flash-object and a focussed form field. Or in the whole browser: Flash in tab #1 had the focus, and a form field in tab #2 too. But the worst is that it is even outside of Chrome: a Flash-object in Chrome can have the focus while another application has the ‘real’ focus!

The risk

Maybe you find yourself asking what the bad people in the world can do with this exploit. I will explain it to you (and it is not very difficult, trust me): bad people can use Chrome as a keylogger! The only thing that the user has to do is open a webpage and give the focus to the Flash-object. It is not difficult to let the user do that. If a bad person had a big site he can just put the Flash-object on it. Otherwise he has to put it on other sites, and that is very easy, since many ad-platforms (including Google AdWords) support Flash-ads.

To let the user give the focus to the Flash-object (clicking on it), it is the easiest way to just let it stay on top of the whole page, on 100% size. Just use a transparent Flash-object for that, and the first time the user clicks on the page the Flash-object got the focus. Then you can scale the Flash-object down to the original size (like the size of the ad) and nobody will ever know what was happening.

Then you can start keylogging, and that’s easy. You need a part that logs the entered keys and something to send it to your server. I think an experienced Flash’er could build this in one hour.

As long as the webpage is opened all the entered keys can be logged.

Why is this so dangerous?

This exploit is so dangerous because you do not know that it exists. ‘Normal’ exploits can be found on sites where you look for serials, cracks or porn (or when you really believe that an ad can say that your computer is infected by a virus, but then you are just stupid). You will never know that this exploit is used on your computer; after closing your browser everything is gone (including all your entered passwords, to the server of the bad person).

My advise

I really recommend you to stop using Chrome for Mac right now. Until this is fixed you cannot trust Chrome and you should stop using it.

I know Chrome for Mac is just a developer-release at the moment. But because Chrome is just so fast and nice, I think that much people are already using it. That is the reason too why I published the news this way: a bug-report in Chrome’s bugtracker would not inform the users.

Demo

Like dr. Gregory House says: “Everybody lies.” To prove that I am right, and not a stupid liar, here is a demo. You can use the arrows on your keyboard to move the square (after you gave the Flash-object focus). Enjoy and do not get addicted to this!

Download (modified version): swf or fla (source code).

Source (original version): Flash Game Design.

Updates

3-11-2009 16:54: I do not have an official statement from Google yet, but we can read that they are working on it.

3-11-2009 17:04: Good news, this exploit does not exist in Chrome for Linux.

3-11-2009 17:35: The exploit is confirmed by a developer (???) of Google.

3-11-2009 21:45: Thanks to God Google it is not possible to log the entered keys in password-fields in other applications. But stay away from Chrome for now: password-fields in Chrome can be logged by Flash. That is caused by another bug that I found a few minutes ago.

In the news

• Webwereld: Lek in Chrome voor Mac laat keylogging toe (5-11-2009, Dutch)
• Marketingfacts: The Google Facts: Over Analytics, Admob en Android (16-11-2009, Dutch)

And… one more thing

Thanks to @SossieNL for testing and confirming the vulnerability.

The exploit has been submitted to Google and can be found under issue ID 26585.

And because we all know that Adobe® hates their users and free publicity, one last thing: Adobe and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.