SoylentNews is people
SoylentNews
Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 2) by DannyB on Wednesday February 28 2018, @09:29PM
I've heard about strange things Banks do on the web.
Most likely they are trying to protect ${ you | themselves } from someone pretending to be you when logging in to your account.
They do this in all sorts of ways. Sometimes by using "something you know" that is not a password. Maybe "something you know" like a series of animal pictures. The pictures are presented in random order, but if you click the bird, the squirrel, then the ostrich, you must be the right person. Some other malicious JavaScript on the page won't get anything by key logging. And would have to be specially tailored to know about this picture technique, and discover the random arrangement of the images this time, and which ones you clicked.
Some even use (yuk!) Java Applets -- in an effort to hide their authentication attempt within a different execution environment. Nevermind how bad an idea it was, in hindsight, to ever have allowed any ${ Applets | ActiveX | Flash | Silverlight } that can interact with JavaScript on the page. What could possibly go wrong?
The lower I set my standards the more accomplishments I have.