Keystroke Logging Across Pages: Is it Possible?

TL;DR

While a web page cannot directly log keystrokes on another page that’s loaded later in the same tab, or even in a different tab, there are sophisticated techniques attackers can use to try and capture keyboard input. These rely on vulnerabilities in browsers, extensions, or user behaviour rather than direct access between pages. It’s rare but possible, so good security habits (strong passwords, being careful what you click) are important.

Understanding the Limitations

Web pages operate within a ‘sandbox’ – they have limited access to other parts of your computer and other web pages for security reasons. Here’s why direct keystroke logging across pages is difficult:

• Same-Origin Policy: A page can only directly interact with content from the same domain (website address).
• Tab Isolation: Different tabs generally have separate JavaScript environments, preventing easy cross-tab access.

How Keystroke Logging *Can* Happen

Attackers don’t usually directly log keystrokes on a different page. Instead, they use these methods:

1. Malware and Keyloggers

1. Malware Infection: The most common way is through malware installed on your computer. This isn’t a web page problem; it’s an operating system problem.
2. Keylogger Software: Dedicated keylogging software can record everything you type, regardless of the application or browser.

Protection: Keep your operating system and antivirus software up to date.

2. Browser Extensions

1. Malicious Extensions: A rogue browser extension can monitor keystrokes within the browser, including on all pages you visit.
2. Compromised Extensions: Even legitimate extensions can be compromised by attackers.

Protection: Only install extensions from trusted sources and regularly review your installed extensions.

3. Cross-Site Scripting (XSS) Attacks

1. Vulnerable Websites: If a website is vulnerable to XSS, an attacker can inject malicious JavaScript code into the page.
2. Keystroke Capture: This injected script could attempt to capture keystrokes on that specific page. However, it’s limited to that single vulnerable page and won’t work across other pages or tabs without further exploitation.

Protection: Websites need to implement robust security measures to prevent XSS attacks (input validation, output encoding). As a user, keep your browser updated as updates often include XSS protections.

4. Phishing and Social Engineering

1. Fake Login Pages: Attackers create fake login pages that look identical to legitimate ones.
2. Keystroke Recording: When you enter your credentials on the fake page, the attacker captures them directly. This isn’t a technical exploit of web pages but relies on tricking you.

Protection: Always verify the website address and look for HTTPS (the padlock icon) before entering sensitive information.

5. Session Hijacking

1. Cookie Theft: Attackers steal your session cookie, allowing them to impersonate you on a website.
2. Actions as You: They can then perform actions on the website *as if* they were you, without directly logging keystrokes.

Protection: Use strong passwords and enable two-factor authentication whenever possible.

Can a page log keys entered *before* it loads?

No. JavaScript code runs after the page has loaded. It can’t access keystrokes that were typed before the page was present in your browser. However, if you’ve previously pasted something into your clipboard, and the page uses JavaScript to read from the clipboard, it could potentially access that data.

How to Check for Suspicious Extensions

1. Chrome: Type chrome://extensions in the address bar.
2. Firefox: Type about:addons in the address bar.
3. Safari: Safari > Preferences > Extensions

Review the list of extensions and remove any you don’t recognize or trust.