Oh O.K, so it's not a CSS hack. I thought it's something smarter like exploiting... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

mrtksn on Dec 12, 2020 | parent | context | favorite | on: Hackers hide web skimmer inside a website's CSS

Oh O.K, so it's not a CSS hack. I thought it's something smarter like exploiting a JS pattern to trick it to run JS from CSS.

So, the hackers need to have access both to CSS and HTML to put the malicious JS that looks innocent in the HTML and load the malicious JS from the CSS.

Now it makes sense, thanks.

bawolff on Dec 12, 2020 [–]

Which honestly seems like a pretty bad obfuscation technique. Loading a string from a css file and then executing as js is suspicious af. There is literally no reason to ever do that normally.

saagarjha on Dec 12, 2020 | [–]

Of course, detecting this in general is not easy to do.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact