Slyck Chatbox - And More

Meet PINLogger, The Drive-By Exploit That Steals Smartphone PINs

What's happening in the technology world related to software. Please submit stories for this forum here.
Forum rules

Meet PINLogger, The Drive-By Exploit That Steals Smartphone PINs

Postby sunnyd » Tue Apr 18, 2017 3:40 pm

Story :

Smartphones know an awful lot about us. They know if we're in a car that's speeding, and they know when we're walking, running, or riding in a bus. They know how many calls we make and receive each day and the precise starting and ending time of each one. And of course, they know the personal identification numbers we use to unlock the devices or to log in to sites that are protected by two-factor authentication. Now, researchers have devised an attack that makes it possible for sneaky websites to surreptitiously collect much of that data, often with surprising accuracy.

The demonstrated keylogging attacks are most useful at guessing digits in four-digit PINs, with a 74-percent accuracy the first time it's entered and a 94-percent chance of success on the third try. The same technique could be used to infer other input, including the lock patterns many Android users rely on to lock their phones, although the accuracy rates would probably be different. The attacks require only that a user open a malicious webpage and enter the characters before closing it. The attack doesn't require the installation of any malicious apps.

Malicious webpages - or depending on the browser, legitimate sites serving malicious ads or malicious content through HTML-based iframe tags - can mount the attack by using standard JavaScript code that accesses motion and orientation sensors built into virtually all iOS and Android devices. To demonstrate how the attack would work, researchers from Newcastle University in the UK wrote attack code dubbed PINLogger.js. Without any warning or outward sign of what was happening, the JavaScript was able to accurately infer characters being entered into the devices.

"That means whenever you are typing private data on a webpage and this webpage for example has some advert banners at the side or the bottom, the advert provider as part of the page can 'listen in' and find out what you type in that page," Siamak F Shahandashti, one of the Newcastle University researchers who demonstrated the attack, told Ars. "Or with some browsers as we found, if you open a page A and then another page B without closing page A (which most people do) page A in the background can listen in on what you type in page B."

Follow Slyck on Twitter @SlyckDotCom
Join Slyck's Facebook Fan Page
User avatar
Posts: 30027
Joined: Mon Jan 21, 2008 2:34 pm

Return to Tech/Software News

Who is online

Users browsing this forum: No registered users and 0 guests

© 2001-2008