Twitter | Search | |
Jordan Eldredge 20 Feb 18
Replying to @captbaritone
I've just tried this out and there is a rather major caveat. This only applies to the explicitly set "value" property of the input. However, this "controlled input" pattern is pretty common in React. I did a little proof of concept here:
Reply Retweet Like
Jordan Eldredge 20 Feb 18
Replying to @captbaritone
Another caveat: caching would mean your endpoint would only get pinged once per letter.
Reply Retweet Like
Jordan Eldredge 20 Feb 18
Replying to @captbaritone
Still, I suppose it could help you dramatically reduce the probability space.
Reply Retweet Like
Jordan Eldredge 20 Feb 18
If you have JS access, a key logger is already trivial.
Reply Retweet Like
Darren Owen (DrO | WACUP) 20 Feb 18
Replying to @captbaritone
this is why we can't have nice things.
Reply Retweet Like
Jordan Eldredge 20 Feb 18
Replying to @The_DoctorO
Reply Retweet Like
Michael Farrell 20 Feb 18
Replying to @captbaritone @reddit
I asked and apparently they aren't vulnerable because we block external resource loads in stylesheets
Reply Retweet Like
Jordan Eldredge 20 Feb 18
Replying to @mikefarrell @reddit
Thanks for checking!
Reply Retweet Like
Ziyahan Albeniz 20 Feb 18
Replying to @captbaritone @reddit
There is a huge misunderstanding in this concept. To make it works, password should be reflected in output. It does not work as a mechanism that logs key stroking when "a" is typing in the password input.
Reply Retweet Like
Jordan Eldredge 20 Feb 18
Replying to @ziyaxanalbeniz @reddit
I've gone and tried this finally. As you said, this does not work for vanilla html inputs, but on "controlled" React components it does. Here's what I tried.
Reply Retweet Like